The Easy PayPal Events & Tickets WordPress plugin versions 1.3 and earlier contains an information disclosure vulnerability in the QR code scanning endpoint. Unauthenticated attackers can enumerate and retrieve all customer order records by iterating over sequential WordPress post IDs through the scan_qr.php endpoint. This allows harvesting the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. The plugin was officially closed on March 18, 2026 due to this security issue.