{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3761", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-17T12:33:35.406Z", "datePublished": "2025-04-24T06:57:06.438Z", "dateUpdated": "2026-04-08T16:59:28.189Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:28.189Z"}, "affected": [{"vendor": "joedolson", "product": "My Tickets \u2013 Accessible Event Ticketing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The My Tickets \u2013 Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator."}], "title": "My Tickets \u2013 Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d875c23-3d8a-4f82-bea3-1c46b5045d94?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3280248/my-tickets/trunk/my-tickets.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ngocanh le"}], "timeline": [{"time": "2025-04-23T18:25:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-24T12:53:32.270957Z", "id": "CVE-2025-3761", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T13:06:47.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-24T12:53:32.270957Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T13:03:59.696Z"}}], "cna": {"title": "My Tickets \u2013 Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "ngocanh le"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "joedolson", "product": "My Tickets \u2013 Accessible Event Ticketing", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-23T18:25:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d875c23-3d8a-4f82-bea3-1c46b5045d94?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3280248/my-tickets/trunk/my-tickets.php"}], "descriptions": [{"lang": "en", "value": "The My Tickets \u2013 Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:28.189Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3761", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:28.189Z", "dateReserved": "2025-04-17T12:33:35.406Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-24T06:57:06.438Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The My Tickets \u2013 Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator."}, {"lang": "es", "value": "El complemento My Tickets \u2013 Accessible Event Ticketing para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 2.0.16 incluida. Esto se debe a que la funci\u00f3n mt_save_profile() no restringe adecuadamente el acceso a usuarios no autorizados para actualizar roles. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, actualicen su rol al de administrador."}], "id": "CVE-2025-3761", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-24T07:15:31.437", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3280248/my-tickets/trunk/my-tickets.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d875c23-3d8a-4f82-bea3-1c46b5045d94?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T07:39:15.083883+00:00", "value": {"mitigation_remediation": ["Upgrade the My Tickets \u2013 Accessible Event Ticketing plugin to the latest available version that addresses the role update flaw; if no version announcement exists, consult the vendor\u2019s changelog for a fix.", "Revoke any Administrator privileges that have been granted through the vulnerability and reset the affected user accounts to their original roles.", "Disable or restrict the ability for users to change roles via the mt_save_profile endpoint\u2014this can be done by disabling the plugin feature that allows role editing or by implementing custom role\u2011change validation logic to enforce appropriate authorization."], "summary": {"action": "Immediate Update", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the My Tickets \u2013 Accessible Event Ticketing plugin from the vendor joedolson, in any version up to and including 2.0.16. The plugin is commonly employed to manage event tickets, and any site running these versions is potentially affected.", "description_and_impact": "The My Tickets \u2013 Accessible Event Ticketing WordPress plugin contains a flaw in the mt_save_profile function that fails to enforce proper access control when updating user roles. Because the function does not restrict which users may change role values, an authenticated user who has Subscriber level access or higher can change the role field to Administrator, elevating their privileges to full site control. This vulnerability is a classic example of a privilege escalation weakness (CWE\u2011269).", "risk_and_exploitability": "The CVSS base score of 8.8 reflects the high severity of the flaw, whereas the EPSS score of less than 1% indicates that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers need only valid credentials with Subscriber\u2011level permissions or higher; the attack path consists of sending a normal profile update request that modifies the role field. No additional network or system prerequisites are required, making the exploitation straightforward for any authenticated user who discovers the issue."}}}}, "created": "2026-04-22T07:45:11.751169+00:00", "updated": "2026-04-22T07:45:11.751186+00:00", "vendors": []}