The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Metrics
Affected Vendors & Products
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 18 Oct 2025 07:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target. | |
Title | Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass | |
Weaknesses | CWE-639 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-10-18T06:42:43.892Z
Reserved: 2025-10-08T15:26:41.876Z
Link: CVE-2025-11517

No data.

Status : Received
Published: 2025-10-18T07:15:35.343
Modified: 2025-10-18T07:15:35.343
Link: CVE-2025-11517

No data.

No data.