The vulnerability in the Vollstart Event Tickets with Ticket Scanner WordPress plugin is an improper control over code generation, allowing an attacker to inject arbitrary code that is then executed by the server. This flaw is defined as CWE‑94, indicating that the application fails to validate or sanitize code it runs. When exploited, the attacker can run any command with the privileges of the Wordpress installation, potentially compromising the entire site, its database, and any connected services.

All installations of the Vollstart Event Tickets with Ticket Scanner plugin up to and including version 2.8.5 are affected. An attacker does not need to know the exact WordPress version; the vulnerability exists in every site that has the plugin loaded within that version range, regardless of the site’s configuration or the roles of the users who interact with the plugin.

The CVSS score is 9, which indicates critical severity. The EPSS score is less than 1%, showing a very low but non-zero likelihood of exploitation according to the EPSS model. The vulnerability is not listed in the CISA KEV catalog, meaning there is no documented active exploitation in the wild currently. The likely attack vector is remote, as an attacker can supply malicious code through the plugin’s public interfaces or API endpoints. Successful exploitation does not require authentication beyond any normal access to the plugin, so the risk remains high for any publicly accessible installation.