Primary

Context

Event Tickets and Registration Payment Bypass Vulnerability

Vulnerability

Patched

A payment bypass vulnerability has been identified in the Event Tickets and Registration plugin for WordPress, affecting all versions through 5.26.5. The vulnerability arises because the '/wp-json/tribe/tickets/v1/commerce/free/order' endpoint fails to properly verify whether a ticket type should be free. This oversight allows users to bypass payment for paid tickets, enabling unauthenticated attackers to gain access to these tickets without payment, resulting in potential revenue loss for the target.

Impact

Exploitation of this vulnerability allows unauthenticated users to access paid tickets without payment, causing a direct loss of revenue.

Remediation

Users are advised to update the Event Tickets and Registration plugin to version 5.26.6 or a newer patched version.

Added: Oct 18, 2025, 7:21 AM

Updated: Oct 18, 2025, 7:21 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

9.0

remediation

7.7

relevance

0.7

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

9.0

remediation

7.7

relevance

0.7

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Event Tickets and Registration Payment Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Event Tickets and Registration

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating