PT-2025-42698 · WordPress · Event Tickets/Registration

Jack Pas

Published

2025-10-18

Updated

2025-10-18

CVE-2025-11517

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Event Tickets and Registration plugin for WordPress versions prior to 5.26.6

Description The Event Tickets and Registration plugin for WordPress has a flaw that allows bypassing payment for tickets. The /wp-json/tribe/tickets/v1/commerce/free/order API endpoint does not properly verify if a ticket type should be free, enabling attackers to acquire paid tickets without payment. This impacts revenue for the target. The issue allows unauthenticated attackers to obtain access to paid tickets without paying.

Recommendations Update Event Tickets and Registration plugin for WordPress to version 5.26.6 or later.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2025-11517

Affected Products

Event Tickets/Registration

PT-2025-42698 · WordPress · Event Tickets/Registration

CVE-2025-11517

Weakness Enumeration

Related Identifiers

Affected Products

References · 7