Description
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
Published: 2025-02-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Attendee Tickets
Action: Immediate Patch
AI Analysis

Impact

The Event Tickets and Registration plugin lacks a capability check on the ajax_ticket_delete function, allowing any authenticated user with Contributor-level privileges or higher to delete any attendee ticket. An attacker who is logged into the WordPress site can trigger this deletion via the exposed AJAX endpoint, potentially erasing event registration data and causing financial loss or operational disruption for event organizers. The flaw is a missing authorization check corresponding to CWE‑862.

Affected Systems

The vulnerability affects the WordPress plugin Event Tickets and Registration by StellarWP, specifically all releases up to and including version 5.19.1.1. All users of these affected plugin versions on any WordPress site are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw only requires authenticated Contributor access, attackers who gain such a role on a site—whether through credential compromise or internal abuse—can exploit it without needing higher administrative privileges, making the risk tangible to sites with many contributor accounts.

Generated by OpenCVE AI on April 21, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Event Tickets and Registration plugin to the latest version that includes the missing authorization check for ticket deletion
  • If an upgrade is not immediately possible, restrict Contributor and lower user roles from accessing the WordPress admin area that contains the plugin, or use a role‑management plugin to remove the capability that allows ticket deletion
  • Enable monitoring of the ajax_ticket_delete action in the site's logs to detect and investigate unauthorized ticket deletions

Generated by OpenCVE AI on April 21, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4535 The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
History

Tue, 25 Feb 2025 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Theeventscalendar
Theeventscalendar event Tickets
CPEs cpe:2.3:a:theeventscalendar:event_tickets:*:*:*:*:*:wordpress:*:*
Vendors & Products Theeventscalendar
Theeventscalendar event Tickets

Fri, 21 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Feb 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
Title Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Theeventscalendar Event Tickets
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:39.770Z

Reserved: 2025-02-17T17:32:25.800Z

Link: CVE-2025-1402

cve-icon Vulnrichment

Updated: 2025-02-21T13:23:32.718Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-21T12:15:30.607

Modified: 2025-02-25T04:04:59.860

Link: CVE-2025-1402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses