Skip to main content

Event Tickets Manager for WooCommerce CVE-2026-34898

| EUVDEUVD-2026-36920 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-f829-v66j-cjfv
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AC:L, UI:N); advisory describes unauthorized state modification only, so C:N/I:H/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:37 vuln.today
CVE Published
Jun 15, 2026 - 20:17 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

AnalysisAI

Broken access control in the Event Tickets Manager for WooCommerce WordPress plugin (versions up to and including 1.5.3) allows remote unauthenticated attackers to perform restricted actions or modify data without proper authorization checks. The flaw stems from a missing authorization layer (CWE-862) on one or more plugin endpoints, making it reachable directly over HTTP by anyone who can talk to the WordPress site. No public exploit has been identified at time of analysis, but the vulnerability was reported by Patchstack and is tracked under EUVD-2026-36920.

Technical ContextAI

The affected component is the WP Swings 'Event Tickets Manager for WooCommerce' plugin, which extends WooCommerce to sell and manage event tickets on WordPress sites. The root cause is CWE-862 (Missing Authorization): one or more plugin actions (likely AJAX or REST endpoints typical of WooCommerce extensions) fail to verify the caller's capability or nonce before executing, so logic that should be gated to administrators or ticket owners is exposed to anonymous callers. The CPE 'cpe:2.3:a:wp_swings:event_tickets_manager_for_woocommerce' confirms the WP Swings vendor namespace; all branches at or below 1.5.3 are in scope.

RemediationAI

No fixed version is published in the available data, so the status is best described as no vendor-released patch identified at time of analysis; site operators should monitor the Patchstack advisory and the WordPress.org plugin page for a release above 1.5.3 and upgrade as soon as it is published. As compensating controls, restrict access to the plugin's admin-ajax.php and REST endpoints (typically /wp-admin/admin-ajax.php and /wp-json/<plugin-namespace>/*) via a WAF rule or Patchstack vPatch, which may block legitimate front-end ticket flows and should be tested; alternatively, deactivate the plugin entirely if event sales are not currently in use, accepting the loss of ticketing functionality. Sites with strong concerns can also IP-allowlist the WordPress admin and block anonymous POSTs to plugin-specific actions, at the cost of breaking any public-facing ticket purchase or registration that the plugin handles unauthenticated.

Share

CVE-2026-34898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy