{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11517", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-08T15:26:41.876Z", "datePublished": "2025-10-18T06:42:43.892Z", "dateUpdated": "2026-04-08T16:41:30.638Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:30.638Z"}, "affected": [{"vendor": "stellarwp", "product": "Event Tickets and Registration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.26.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target."}], "title": "Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21cd8cb8-2a29-4b66-ab7a-8d8b2f85e2e0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3378214/event-tickets/tags/5.26.6/src/Tickets/Commerce/Gateways/Free/REST/Order_Endpoint.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "timeline": [{"time": "2025-10-08T15:41:53.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-17T18:07:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-20T19:01:14.721980Z", "id": "CVE-2025-11517", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T19:01:23.289Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-20T19:01:14.721980Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T19:01:19.643Z"}}], "cna": {"title": "Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "Event Tickets and Registration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.26.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-08T15:41:53.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-17T18:07:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21cd8cb8-2a29-4b66-ab7a-8d8b2f85e2e0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3378214/event-tickets/tags/5.26.6/src/Tickets/Commerce/Gateways/Free/REST/Order_Endpoint.php"}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:30.638Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11517", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:30.638Z", "dateReserved": "2025-10-08T15:26:41.876Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-18T06:42:43.892Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target."}], "id": "CVE-2025-11517", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-18T07:15:35.343", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3378214/event-tickets/tags/5.26.6/src/Tickets/Commerce/Gateways/Free/REST/Order_Endpoint.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21cd8cb8-2a29-4b66-ab7a-8d8b2f85e2e0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:00:32.380150+00:00", "value": {"mitigation_remediation": ["Upgrade the Event Tickets and Registration plugin to version 5.26.6 or later, where the free order endpoint verifies the ticket type", "Verify that the /wp-json/tribe/tickets/v1/commerce/free/order endpoint no longer issues paid tickets", "Block or disable external access to the free order REST endpoint until the patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to paid tickets via unauthenticated payment bypass"}, "threat_synthesis": {"affected_systems": "StellarWP Event Tickets and Registration plugin for WordPress, versions up to and including 5.26.5. No newer versions are affected; the fix is included in 5.26.6 or later.", "description_and_impact": "The vulnerability permits unauthenticated users to obtain paid tickets by exploiting the free order endpoint, which fails to confirm that the ticket type is free. Attackers can request a ticket that requires payment, receive the ticket, and acquire it without paying, resulting in revenue loss for the event organizer.", "risk_and_exploitability": "The CVSS score of 7.5 highlights moderate to high severity, but the EPSS of less than 1% indicates low probability of exploitation in the wild. The flaw is not listed in the KEV catalog. An attacker can trigger the vulnerability through a simple HTTP request to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint, requiring no authentication. Once the ticket is issued, the attacker can attend the event or resell the ticket without payment."}}}}, "created": "2025-10-20T13:21:36.938307+00:00", "updated": "2026-04-22T22:15:26.346445+00:00", "vendors": ["theeventscalendar", "theeventscalendar$PRODUCT$event_tickets", "wordpress", "wordpress$PRODUCT$wordpress"]}