WordPress Plugin Vulnerabilities

Event Tickets and Registration < 5.26.6 - Unauthenticated Ticket Payment Bypass

Description

The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.

Affects Plugins

Plugin icon
event-tickets
Fixed in 5.26.6

References

CVE
CVE-2025-11517
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/21cd8cb8-2a29-4b66-ab7a-8d8b2f85e2e0

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Jack Pas (Dark.)
Verified
No
WPVDB ID
5578d63c-7124-4326-b108-0b6af645e7b5

Timeline

Publicly Published
2025-10-17 (about 6 months ago)
Added
2025-10-17 (about 6 months ago)
Last Updated
2025-10-18 (about 6 months ago)

Other

Published
Title
Published
2025-12-31
Title
Order Cancellation & Returns for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-07-25
Title
MinimogWP < 3.9.1 - Unauthenticated Price Manipulation
Published
2025-12-29
Title
FiveStar <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-12-06
Title
Thim Elementor Kit < 1.3.4 - Authenticated (Contributor+) Insecure Direct Object Reference
Published
2024-01-16
Title
Display custom fields in the frontend – Post and User Profile Fields < 1.3.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure