Description
Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated bypass of the authentication controls exists in the WordPress Event Tickets plugin versions up to and including 5.27.5. Because the vulnerability is related to improper authentication (CWE‑290), any user, even without logging in, can potentially gain access to actions normally restricted to authenticated users. This can lead to unauthorized ticket management or other privileged operations within the site, compromising the confidentiality and integrity of event data and associated user information.

Affected Systems

The affected product is the WordPress Event Tickets plugin developed by Liquid Web under the StellarWP brand. Versions up to and including 5.27.5 are vulnerable. The vendor states that upgrading to version 5.27.6.1 or later resolves the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an application‑level web request; because the bug allows unauthenticated access, an attacker merely needs to send the appropriate request to a protected endpoint and may bypass the authentication check. Although the impact does not include remote code execution, the loss of access control still provides significant risk to the affected site.

Generated by OpenCVE AI on June 18, 2026 at 00:44 UTC.

Remediation

Vendor Solution

Update the WordPress Event Tickets Plugin to the latest available version (at least 5.27.6.1).


OpenCVE Recommended Actions

  • Upgrade the WordPress Event Tickets Plugin to version 5.27.6.1 or later
  • Disable the Event Tickets plugin on sites where an upgrade cannot be applied immediately and block its REST endpoints until a patch is applied
  • Enforce stronger authentication controls—such as two‑factor authentication—for all WordPress administrative accounts to mitigate potential unauthorized access until the plugin is updated

Generated by OpenCVE AI on June 18, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Liquid Web / Stellarwp
Liquid Web / Stellarwp event Tickets
Wordpress
Wordpress wordpress
Vendors & Products Liquid Web / Stellarwp
Liquid Web / Stellarwp event Tickets
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.
Title WordPress Event Tickets plugin <= 5.27.5 - Bypass Vulnerability vulnerability
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Liquid Web / Stellarwp Event Tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:03:42.375Z

Reserved: 2026-04-29T09:04:47.838Z

Link: CVE-2026-42662

cve-icon Vulnrichment

Updated: 2026-06-16T13:03:36.469Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:55.933

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:08Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing