A critical flaw (CVSS 9.8) in the Eventer WordPress plugin stores password reset keys in plaintext, letting unauthenticated attackers hijack any account—including administrators—when chained with a companion SQL injection bug.
What Is It
CVE-2026-9701 is an insecure password reset vulnerability (CWE-289, Authentication Bypass by Alternate Name) in the Eventer event manager plugin for WordPress. When a user requests a password reset, the plugin stores a plaintext copy of the reset key in the eventer_verification_code user meta field within wp_usermeta. That plaintext key can then be used with the plugin's custom reset action to set a new password for any user. The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required.
Why It Matters
Because the reset key is stored in plaintext, an attacker who can read the wp_usermeta table can reset any account's password. The NVD record notes that when combined with another vulnerability such as SQL Injection (CVE-2026-9700), unauthenticated attackers can extract the plaintext reset key and take over any user account, including administrators—resulting in full compromise of the affected WordPress site. The vector's high confidentiality, integrity, and availability impacts reflect this total account-takeover potential.
One important caveat from the source: the password reset function only works up to PHP version 7.4.
What's Vulnerable
- Vendor/product: joe007; Eventer (WordPress Event Manager plugin)
- Affected versions: all versions up to and including 4.4.2
- Weakness: CWE-289
Patch Status
The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation and no KEV-mandated remediation deadline at this time. The NVD record (published 2026-07-08, status "Received") lists no fixed version or explicit patch guidance beyond identifying 4.4.2 and earlier as affected.