CVE-2025-3761

Name of the Vulnerable Software and Affected Versions My Tickets – Accessible Event Ticketing plugin for WordPress versions up to and including 2.0.16

Description The issue arises from the mt save profile() function not properly restricting access to unauthorized users to update roles. This allows authenticated attackers with Subscriber-level access or higher to update their role to that of an administrator.

Recommendations For versions up to and including 2.0.16, update to a version higher than 2.0.16 to resolve the issue. As a temporary workaround, consider restricting access to the mt save profile() function to prevent unauthorized role updates until a patch is available.