Impact
An unauthenticated bypass of the authentication controls exists in the WordPress Event Tickets plugin versions up to and including 5.27.5. Because the vulnerability is related to improper authentication (CWE‑290), any user, even without logging in, can potentially gain access to actions normally restricted to authenticated users. This can lead to unauthorized ticket management or other privileged operations within the site, compromising the confidentiality and integrity of event data and associated user information.
Affected Systems
The affected product is the WordPress Event Tickets plugin developed by Liquid Web under the StellarWP brand. Versions up to and including 5.27.5 are vulnerable. The vendor states that upgrading to version 5.27.6.1 or later resolves the issue.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate to high severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an application‑level web request; because the bug allows unauthenticated access, an attacker merely needs to send the appropriate request to a protected endpoint and may bypass the authentication check. Although the impact does not include remote code execution, the loss of access control still provides significant risk to the affected site.
OpenCVE Enrichment