{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68015", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:54.715Z", "datePublished": "2026-01-22T16:52:03.228Z", "dateUpdated": "2026-04-28T19:54:52.096Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "event-tickets-with-ticket-scanner", "product": "Event Tickets with Ticket Scanner", "vendor": "Vollstart", "versions": [{"changes": [{"at": "2.8.6", "status": "unaffected"}], "lessThanOrEqual": "2.8.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:13.811Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.<p>This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.5.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.5."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.367Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress Event Tickets with Ticket Scanner plugin <= 2.8.5 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T17:20:07.351671Z", "id": "CVE-2025-68015", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:54:52.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68015", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T17:20:07.351671Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T17:19:56.293Z"}}], "cna": {"title": "WordPress Event Tickets with Ticket Scanner plugin <= 2.8.3 - Remote Code Execution (RCE) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "affected": [{"vendor": "Vollstart", "product": "Event Tickets with Ticket Scanner", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.8.3"}], "packageName": "event-tickets-with-ticket-scanner", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-01-22T17:44:33.366Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.<p>This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-01-22T16:52:03.228Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68015", "state": "PUBLISHED", "dateUpdated": "2026-01-28T17:20:22.234Z", "dateReserved": "2025-12-15T10:00:54.715Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:03.228Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.5."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo ('Inyecci\u00f3n de c\u00f3digo') en Vollstart Event Tickets con Ticket Scanner event-tickets-with-ticket-scanner permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a Event Tickets con Ticket Scanner: desde n/a hasta &lt;= 2.8.3."}], "id": "CVE-2025-68015", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:07.817", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:54:36.373819+00:00", "value": {"mitigation_remediation": ["Update the Event Tickets with Ticket Scanner plugin to the latest version (at least 2.8.6).", "If an update is not immediately possible, restrict the plugin\u2019s functionality by disabling it for non\u2011admin users or temporarily deactivating it until a patch is applied.", "Apply server\u2011side input validation or set web application firewall rules to block suspicious payloads that could be interpreted as executable code within the plugin\u2019s context."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the Vollstart Event Tickets with Ticket Scanner plugin up to and including version 2.8.5 are affected. An attacker does not need to know the exact WordPress version; the vulnerability exists in every site that has the plugin loaded within that version range, regardless of the site\u2019s configuration or the roles of the users who interact with the plugin.", "description_and_impact": "The vulnerability in the Vollstart Event Tickets with Ticket Scanner WordPress plugin is an improper control over code generation, allowing an attacker to inject arbitrary code that is then executed by the server. This flaw is defined as CWE\u201194, indicating that the application fails to validate or sanitize code it runs. When exploited, the attacker can run any command with the privileges of the Wordpress installation, potentially compromising the entire site, its database, and any connected services.", "risk_and_exploitability": "The CVSS score is 9, which indicates critical severity. The EPSS score is less than 1%, showing a very low but non-zero likelihood of exploitation according to the EPSS model. The vulnerability is not listed in the CISA KEV catalog, meaning there is no documented active exploitation in the wild currently. The likely attack vector is remote, as an attacker can supply malicious code through the plugin\u2019s public interfaces or API endpoints. Successful exploitation does not require authentication beyond any normal access to the plugin, so the risk remains high for any publicly accessible installation."}}}}, "created": "2026-01-23T16:30:36.246811+00:00", "updated": "2026-04-28T10:00:06.500703+00:00", "vendors": ["vollstart", "vollstart$PRODUCT$event_tickets_with_ticket_scanner", "wordpress", "wordpress$PRODUCT$wordpress"]}