Skip to content

Instantly share code, notes, and snippets.

@4lec4st

4lec4st/CVE-2026-41471.md

Created May 2, 2026 10:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 4lec4st/9fd04b4bfadb3f7e388f61588f5f2564 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 4lec4st/9fd04b4bfadb3f7e388f61588f5f2564 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2026-41471 - Information Disclosure via QR Code Endpoint
Raw
CVE-2026-41471.md

Summary

An IDOR vulnerability in the QR endpoint allows unauthenticated attackers to access sensitive order information.

Technical Details

Order IDs are sequential WordPress post IDs and can be enumerated.

Proof of Concept

GET /?action=add_wpeevent_button_qr&order=1|1|test

GET /?action=add_wpeevent_button_qr&order=1|2|test

Exposed Data

  • PayPal transaction IDs
  • Email addresses
  • Purchase details
  • Order status

Impact

Attackers can enumerate and extract sensitive customer data at scale.

Remediation

  • Implement authorization checks
  • Use non-predictable identifiers
  • Restrict access to authenticated users

Credits

Discovered by 4lec4st

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment