CVE-2026-32834: WordPress PayPal Plugin Auth Bypass Flaw

CVE-2026-32834 Overview

CVE-2026-32834 is an authentication bypass vulnerability in the Easy PayPal Events & Tickets plugin for WordPress, version 1.3 and earlier. The plugin contains a hardcoded value in its QR code scanning functionality that lets attackers skip hash verification by submitting test as the hash parameter. Unauthenticated remote attackers can invoke the add_wpeevent_button_qr action to retrieve order details for any post ID, exposing PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The plugin was officially closed on the WordPress plugin directory as of 2026-03-18, leaving no vendor patch available. The weakness is classified under [CWE-798: Use of Hard-coded Credentials].

Critical Impact

Unauthenticated attackers can extract PayPal transaction data and customer personal information from any site running the affected plugin.

Affected Products

• Easy PayPal Events & Tickets plugin for WordPress, version 1.3
• Easy PayPal Events & Tickets plugin for WordPress, all earlier versions
• WordPress installations with the plugin active (plugin closed as of 2026-03-18)

Discovery Timeline

• 2026-05-04 - CVE-2026-32834 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-32834

Vulnerability Analysis

The Easy PayPal Events & Tickets plugin exposes an AJAX action named add_wpeevent_button_qr to support QR code ticket validation at events. Each ticket carries a hash that the endpoint should verify before returning order details. The plugin's verification routine accepts the literal string test as a valid hash, short-circuiting the integrity check. Any client supplying that value can request order data for arbitrary post_id values without authenticating.

The endpoint returns sensitive fields tied to completed PayPal transactions, including transaction identifiers, buyer email addresses, amounts paid, and ticket metadata. Because post IDs in WordPress are sequential integers, attackers can enumerate orders by iterating IDs against the vulnerable handler.

Root Cause

The root cause is a hardcoded comparison string embedded in the QR validation code path. The developer appears to have left a debugging shortcut in production: when the submitted hash equals test, the code skips the cryptographic check and proceeds to return order data. This pattern matches [CWE-798] because the literal value functions as a universal credential bypassing access control.

Attack Vector

Exploitation requires only network access to the WordPress site. An attacker sends an HTTP request to the WordPress AJAX endpoint, invoking the add_wpeevent_button_qr action with hash=test and a target post_id. No user account, session, or referer header is required. The handler returns a JSON response containing the order's PayPal transaction ID, customer email, total amount, and ticket details. Iterating numeric post IDs lets attackers harvest data across all event orders. Public proof-of-concept material is available via the GitHub Gist PoC and the VulnCheck Advisory.

Detection Methods for CVE-2026-32834

Indicators of Compromise

• HTTP POST or GET requests to /wp-admin/admin-ajax.php containing action=add_wpeevent_button_qr paired with hash=test.
• Sequential enumeration of post_id values from a single source IP within a short time window.
• Outbound traffic from web servers returning JSON payloads containing PayPal txn_id fields to unauthenticated clients.
• Unusual spikes in admin-ajax.php traffic on sites running the Easy PayPal Events & Tickets plugin.

Detection Strategies

• Inspect WordPress access logs for the add_wpeevent_button_qr action combined with the literal hash value test.
• Deploy a web application firewall rule that blocks requests to the affected action when the hash parameter equals test or other known bypass tokens.
• Correlate enumeration patterns by alerting on a single client requesting many distinct post_id values against the same AJAX action.

Monitoring Recommendations

• Forward WordPress and reverse proxy logs to a centralized analytics platform and retain them long enough to investigate retroactive abuse.
• Monitor outbound payloads from admin-ajax.php for fields such as txn_id, customer email patterns, and PayPal-related strings.
• Track installation inventory of the Easy PayPal Events & Tickets plugin across managed WordPress sites and flag any version at or below 1.3.

How to Mitigate CVE-2026-32834

Immediate Actions Required

• Deactivate and remove the Easy PayPal Events & Tickets plugin from all WordPress installations, since the plugin was closed on 2026-03-18 and no fixed version exists.
• Audit prior order data for unauthorized access by reviewing access logs for requests matching the bypass pattern.
• Notify customers whose PayPal transaction details and email addresses may have been exposed, in line with applicable breach disclosure requirements.
• Rotate any shared secrets or API keys that may have been linked to the affected event ordering workflow.

Patch Information

No official patch is available. The plugin was officially closed in the WordPress plugin directory as of 2026-03-18, and version 1.3 remains the last published release. Site operators should migrate to a maintained event ticketing plugin and remove the vulnerable code. Refer to the WordPress Plugin Page for the closure status and the VulnCheck Advisory for full technical details.

Workarounds

• Block requests to admin-ajax.php that include action=add_wpeevent_button_qr at the web application firewall or reverse proxy.
• Restrict access to the WordPress admin AJAX endpoint by IP allowlist where business workflows permit.
• Replace the plugin with an actively maintained ticketing solution that enforces authenticated, cryptographically verified QR validation.

# Example WAF rule to block the vulnerable action (nginx)
location = /wp-admin/admin-ajax.php {
    if ($arg_action = "add_wpeevent_button_qr") { return 403; }
    if ($request_body ~* "action=add_wpeevent_button_qr") { return 403; }
}