The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sat, 18 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Title Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-10-18T06:42:43.892Z

Reserved: 2025-10-08T15:26:41.876Z

Link: CVE-2025-11517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-10-18T07:15:35.343

Modified: 2025-10-18T07:15:35.343

Link: CVE-2025-11517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.