Description
Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Identity Spoofing
Action: Patch
AI Analysis

Impact

The vulnerability is an authentication bypass by spoofing. An attacker can trick the My Tickets plugin into treating an arbitrary user ID as authenticated, effectively impersonating that user. This flaw aligns with CWE‑290, broken authentication, and can lead to unauthorized access to sensitive functions such as ticket management or administrative actions.

Affected Systems

The affected systems are installations of the WordPress My Tickets plugin from Joe Dolson up to and including version 2.1.1. These systems can be running on any WordPress site that has installed the plugin, meaning that the risk is widespread across any site using this plugin version.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS below 1 %, the vulnerability presents a moderate severity but is unlikely to see mass exploitation. Based on the description, the likely attack vector is sending a crafted HTTP request to the My Tickets plugin endpoint, which an attacker can perform locally or remotely without privileged access. Attackers can target any site that exposes the plugin’s functions to public or authenticated users. It is inferred that, because the flaw is not listed in the CISA KEV catalog, there has been no widespread exploitation yet, although the issue is actionable.

Generated by OpenCVE AI on March 26, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the My Tickets plugin to the latest available version, ensuring it is greater than 2.1.1.
  • If no update is available, disable or remove the plugin from the site to eliminate the vulnerable code.
  • Restrict access to the plugin’s administrative endpoints by applying proper role‑based access controls.
  • Monitor website logs for unusual authentication patterns or unauthorized access attempts.

Generated by OpenCVE AI on March 26, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Joe Dolson
Joe Dolson my Tickets
Wordpress
Wordpress wordpress
Vendors & Products Joe Dolson
Joe Dolson my Tickets
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1.
Title WordPress My Tickets plugin <= 2.1.1 - Bypass Vulnerability vulnerability
Weaknesses CWE-290
References

Subscriptions

Joe Dolson My Tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:34:28.982Z

Reserved: 2026-03-12T11:12:00.510Z

Link: CVE-2026-32492

cve-icon Vulnrichment

Updated: 2026-03-26T19:32:34.507Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:00.827

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:07Z

Weaknesses