Description
The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Published: 2025-10-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to paid tickets via unauthenticated payment bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits unauthenticated users to obtain paid tickets by exploiting the free order endpoint, which fails to confirm that the ticket type is free. Attackers can request a ticket that requires payment, receive the ticket, and acquire it without paying, resulting in revenue loss for the event organizer.

Affected Systems

StellarWP Event Tickets and Registration plugin for WordPress, versions up to and including 5.26.5. No newer versions are affected; the fix is included in 5.26.6 or later.

Risk and Exploitability

The CVSS score of 7.5 highlights moderate to high severity, but the EPSS of less than 1% indicates low probability of exploitation in the wild. The flaw is not listed in the KEV catalog. An attacker can trigger the vulnerability through a simple HTTP request to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint, requiring no authentication. Once the ticket is issued, the attacker can attend the event or resell the ticket without payment.

Generated by OpenCVE AI on April 22, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Event Tickets and Registration plugin to version 5.26.6 or later, where the free order endpoint verifies the ticket type
  • Verify that the /wp-json/tribe/tickets/v1/commerce/free/order endpoint no longer issues paid tickets
  • Block or disable external access to the free order REST endpoint until the patch is applied

Generated by OpenCVE AI on April 22, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Theeventscalendar
Theeventscalendar event Tickets
Wordpress
Wordpress wordpress
Vendors & Products Theeventscalendar
Theeventscalendar event Tickets
Wordpress
Wordpress wordpress

Sat, 18 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Title Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Theeventscalendar Event Tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:30.638Z

Reserved: 2025-10-08T15:26:41.876Z

Link: CVE-2025-11517

cve-icon Vulnrichment

Updated: 2025-10-20T19:01:19.643Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T07:15:35.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses