CVE Alert: CVE-2025-11517 - theeventscalendar - Event Tickets and Registration

CVE-2025-11517

HIGHNo exploitation known

The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.

CVSS v3.1 (7.5)

Vendor

theeventscalendar

Product

Event Tickets and Registration

Versions

* lte 5.26.5

CWE

CWE-639, CWE-639 Authorization Bypass Through User-Controlled Key

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published

2025-10-18T06:42:43.892Z

Updated

2025-10-18T06:42:43.892Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/21cd8cb8-2a29-4b66-ab7a-8d8b2f85e2e0?source=cve

https://plugins.trac.wordpress.org/changeset/3378214/event-tickets/tags/5.26.6/src/Tickets/Commerce/Gateways/Free/REST/Order_Endpoint.php

AI Summary Analysis

Risk verdict: High risk due to unauthenticated bypass of paid ticket payments on a publicly accessible REST endpoint; CVSS indicates high impact but there is no evidence of active exploitation in the data provided.

Why this matters: Attackers can obtain paid tickets without payment, directly eroding revenue and undermining trust in the ticketing flow. Coupled with automation potential, a lightweight, repeatable attack can affect multiple sites using the same plugin.

Most likely attack path: An unauthenticated attacker targets the REST endpoint for free-ticket purchases, exploiting no user interaction and no privileges required. The route operates with low complexity and is network-accessible, enabling rapid, automated attempts to obtain zero-cost tickets and generate fraudulent traffic or refunds.

Who is most exposed: Publicly accessible WordPress sites running event/ticketing functionality, especially those with the plugin installed and exposed REST endpoints to unauthenticated users.

Detection ideas:

Unusual spikes in free-ticket orders or zero-value transactions without corresponding payment records.
Repeated unauthenticated requests to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint.
Mismatches between ticket issuance and payment gateway logs.
Anomalous IPs or user agents interacting with the ticket REST endpoint.
Revenue reconciliation anomalies after events or promotions.

Mitigation and prioritisation:

Patch to version 5.26.6 or newer; apply vendor-supplied fix promptly.
If patching is not feasible, implement a WAF rule to block or require authentication for the free-order endpoint.
Disable or restrict free-order flow until patched; implement stricter input validation and access controls.
Monitor, alert, and log: revenue discrepancies, endpoint access, and user-agent patterns; perform regular reconciliation.
Change-management: test in staging before production rollout; communicate upgrade windows.

If KEV is true or EPSS ≥ 0.5, treat as priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-11517, event-tickets-and-registration, OSINT, theeventscalendar, threatintel