{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1402", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-17T17:32:25.800Z", "datePublished": "2025-02-21T11:09:34.845Z", "dateUpdated": "2026-04-08T17:27:39.770Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:39.770Z"}, "affected": [{"vendor": "stellarwp", "product": "Event Tickets and Registration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.19.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets."}], "title": "Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dbd838b6-7792-4378-8969-a70c6e16ff6a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Assets.php#L202"}, {"url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Metabox.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Metabox.php#L490"}, {"url": "https://wordfence.freshdesk.com/a/tickets/375051"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "timeline": [{"time": "2025-02-13T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-21T13:23:26.822647Z", "id": "CVE-2025-1402", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-21T13:23:37.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-21T13:23:26.822647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-21T13:23:32.718Z"}}], "cna": {"title": "Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "Event Tickets and Registration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.19.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-13T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dbd838b6-7792-4378-8969-a70c6e16ff6a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Assets.php#L202"}, {"url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Metabox.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Metabox.php#L490"}, {"url": "https://wordfence.freshdesk.com/a/tickets/375051"}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:39.770Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1402", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:39.770Z", "dateReserved": "2025-02-17T17:32:25.800Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-21T11:09:34.845Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:theeventscalendar:event_tickets:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "88B247E4-E581-498F-99CC-C489B09EDCB6", "versionEndExcluding": "5.19.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets."}, {"lang": "es", "value": "El complemento Event Tickets and Registration para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'ajax_ticket_delete' en todas las versiones hasta la 5.19.1.1 incluida. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, eliminen entradas de asistentes arbitrarias."}], "id": "CVE-2025-1402", "lastModified": "2025-02-25T04:04:59.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-21T12:15:30.607", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Assets.php#L202"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Metabox.php#L30"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Metabox.php#L490"}, {"source": "security@wordfence.com", "tags": ["Permissions Required"], "url": "https://wordfence.freshdesk.com/a/tickets/375051"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dbd838b6-7792-4378-8969-a70c6e16ff6a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T22:19:22.680534+00:00", "value": {"mitigation_remediation": ["Upgrade the Event Tickets and Registration plugin to the latest version that includes the missing authorization check for ticket deletion", "If an upgrade is not immediately possible, restrict Contributor and lower user roles from accessing the WordPress admin area that contains the plugin, or use a role\u2011management plugin to remove the capability that allows ticket deletion", "Enable monitoring of the ajax_ticket_delete action in the site's logs to detect and investigate unauthorized ticket deletions"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Deletion of Attendee Tickets"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Event Tickets and Registration by StellarWP, specifically all releases up to and including version 5.19.1.1. All users of these affected plugin versions on any WordPress site are at risk.", "description_and_impact": "The Event Tickets and Registration plugin lacks a capability check on the ajax_ticket_delete function, allowing any authenticated user with Contributor-level privileges or higher to delete any attendee ticket. An attacker who is logged into the WordPress site can trigger this deletion via the exposed AJAX endpoint, potentially erasing event registration data and causing financial loss or operational disruption for event organizers. The flaw is a missing authorization check corresponding to CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw only requires authenticated Contributor access, attackers who gain such a role on a site\u2014whether through credential compromise or internal abuse\u2014can exploit it without needing higher administrative privileges, making the risk tangible to sites with many contributor accounts."}}}}, "created": "2026-04-21T22:30:06.130391+00:00", "updated": "2026-04-21T22:30:06.130404+00:00", "vendors": []}