Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events myticket-events allows Path Traversal.This issue affects MyTicket Events: from n/a through <= 1.2.4.
Published: 2025-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to manipulate the file path parameter used by the MyTicket Events plugin, enabling them to read arbitrary files from the server's filesystem. This path traversal flaw is classified as CWE‑22. A successful exploitation does not provide code execution but can expose sensitive configuration files, credentials, or other private data, leading to a breach of confidentiality.

Affected Systems

The flaw affects WordPress sites that have the MyTicket Events plugin from WP Asia installed in any version up to and including 1.2.4. All users running an affected release are vulnerable because the plugin does not properly limit path traversal attempts.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity and the EPSS score of less than 1 % indicates a very low current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need only a crafted request to the plugin’s file retrieval endpoint, which can be executed remotely by anyone who can access the exposed URL, making the attack straightforward but limited to reading files. The lack of elevation to code execution keeps the overall risk moderate.

Generated by OpenCVE AI on May 1, 2026 at 09:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MyTicket Events plugin to the latest version that addresses the path traversal flaw.
  • If an update is not immediately available, disable the plugin until a fixed version is released.
  • Configure the web server to restrict file access to the document root and consider deploying a web application firewall to block path traversal patterns.

Generated by OpenCVE AI on May 1, 2026 at 09:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11628 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events allows Path Traversal. This issue affects MyTicket Events: from n/a through 1.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events allows Path Traversal. This issue affects MyTicket Events: from n/a through 1.2.4. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events myticket-events allows Path Traversal.This issue affects MyTicket Events: from n/a through <= 1.2.4.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events allows Path Traversal. This issue affects MyTicket Events: from n/a through 1.2.4.
Title WordPress MyTicket Events plugin <= 1.2.4 - Non-Arbitrary File Read vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.614Z

Reserved: 2025-02-21T16:45:27.526Z

Link: CVE-2025-27299

cve-icon Vulnrichment

Updated: 2025-04-17T17:42:13.765Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:36.327

Modified: 2026-04-23T15:26:19.483

Link: CVE-2025-27299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses