CVE-2026-9701

joe007 · Eventer

The Eventer WordPress plugin stores password reset keys in plaintext, allowing unauthenticated attackers to hijack user accounts.

Executive summary

A critical authentication bypass vulnerability in the Eventer WordPress plugin allows unauthenticated attackers to hijack any user account, including administrators.

Vulnerability

The plugin insecurely stores plaintext password reset keys in the eventer_verification_code meta field. Unauthenticated attackers can leverage this, potentially in conjunction with other vulnerabilities like SQL injection, to retrieve these keys and reset passwords for arbitrary accounts.

Business impact

This vulnerability carries a CVSS score of 9.8, indicating maximum severity. Successful exploitation allows for complete account takeover, granting attackers administrative access to the WordPress instance. This leads to full site control, unauthorized data access, and the potential to inject malicious content into the site.

Remediation

Immediate Action: Update the Eventer plugin to the latest version immediately to ensure secure handling of password reset keys.

Proactive Monitoring: Monitor user metadata tables for suspicious entries in the eventer_verification_code field and audit successful password reset events.

Compensating Controls: Ensure the site is protected by a WAF and disable the password reset functionality if the plugin cannot be updated immediately.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Account takeover vulnerabilities are high-priority risks that must be addressed immediately. Administrators should update the Eventer plugin to the latest version, verify that no unauthorized accounts have been created or modified, and force a password reset for all administrative users.