The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
The Event Monster WordPress plugin fails to verify payment data server-side, allowing unauthenticated attackers to forge payment records and create fraudulent bookings. Attackers can bypass payment requirements and generate valid QR code tickets without actual payment.
ثغرة في إضافة Event Monster للتعامل مع الأحداث والحجوزات في WordPress تسمح بتزوير بيانات الدفع. يمكن للمهاجمين غير المصرح لهم إنشاء سجلات دفع مزيفة وتحويل الحجوزات إلى حالة مكتملة والحصول على تذاكر QR صحيحة دون دفع فعلي.
Event Monster plugin for WordPress does not verify payment information on the server, enabling unauthorized users to create fake payment records and fraudulent event bookings. Attackers can obtain valid QR code tickets without completing actual payment transactions.
Update Event Monster plugin to version 2.1.1 or later immediately. Implement server-side payment verification against PayPal API, add nonce validation to AJAX handlers, verify user capabilities before processing payments, and disable wp_ajax_nopriv for payment handlers. Audit payment records for fraudulent entries.
قم بتحديث إضافة Event Monster إلى الإصدار 2.1.1 أو أحدث فوراً. طبّق التحقق من الدفع على جانب الخادم مقابل PayPal API، أضف التحقق من nonce لمعالجات AJAX، تحقق من قدرات المستخدم قبل معالجة الدفع، وعطّل wp_ajax_nopriv لمعالجات الدفع. قم بمراجعة سجلات الدفع للكشف عن الإدخالات الاحتيالية.