{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39535", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:16.732Z", "dateUpdated": "2026-04-08T08:30:16.732Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "widget-for-eventbrite-api", "product": "Display Eventbrite Events", "vendor": "fullworks", "versions": [{"changes": [{"at": "6.5.7", "status": "unaffected"}], "lessThanOrEqual": "6.5.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:00.613Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.</p>"}], "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.732Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6."}], "id": "CVE-2026-39535", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:26.213", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.5.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.5.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Display Eventbrite Events", "source": "cna", "vendor": "fullworks"}, "product": "display_eventbrite_events", "vendor": "fullworks"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:53:11.040624+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of the Display Eventbrite Events plugin (\u22656.5.7 if available) to resolve the access control issue", "If an update cannot be applied immediately, restrict access to the plugin\u2019s admin pages using role\u2011based permissions or disable the plugin until a patch is available", "Review WordPress user roles and permissions to ensure only trusted administrators have ability to manage events", "Monitor plugin usage and logs for suspicious activity that might indicate exploitation"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Plugin Data"}, "threat_synthesis": {"affected_systems": "WordPress installations running fullworks Display Eventbrite Events widget\u2011for\u2011eventbrite\u2011api version 6.5.6 or earlier are affected. All site administrators deploying this plugin before version 6.5.7 are potentially at risk.", "description_and_impact": "Missing authorization in the Display Eventbrite Events plugin lets an attacker gain unauthorized access to the plugin\u2019s data or functions. This broken access control weakness can expose detailed event information or allow manipulation of event listings. The vulnerability is a classic example of incorrect configuration of security levels that violate expected user permissions.", "risk_and_exploitability": "The CVSS score is not provided, but the issue represents a non\u2011local remote access threat that can be exploited through the plugin\u2019s web interface. No EPSS or KEV data is available, indicating there is no current evidence of widespread exploitation. Nevertheless, attackers could potentially use crafted HTTP requests or exploit the plugin\u2019s exposed endpoints to bypass authentication and retrieve or modify event data. The risk is heightened on sites that allow unauthenticated or low\u2011privilege users to interact with the plugin."}}}}, "created": "2026-04-08T19:30:25.327656+00:00", "updated": "2026-04-08T19:42:42.232473+00:00", "vendors": ["fullworks", "fullworks$PRODUCT$display_eventbrite_events", "wordpress", "wordpress$PRODUCT$wordpress"]}