Description
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.
Problem types
CWE-289 Authentication Bypass by Alternate Name
Product status
Any version
Timeline
| 2026-07-07: | Disclosed |
Credits
Rafie Muhammad
References
www.wordfence.com/...-1eac-4a96-99e9-c22d64984923?source=cve
codecanyon.net/...er-wordpress-event-manager-plugin/20972534