Skip to main content

Event Tickets CVE-2026-42662

| EUVDEUVD-2026-36827 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-06-15 Patchstack GHSA-qx6m-5r77-fx53
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-accessible with no authentication required (PR:N, AV:N); spoofing bypass yields only limited integrity and availability impact, no data disclosure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:00 vuln.today

DescriptionCVE.org

Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.

AnalysisAI

Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP) allows remote attackers to circumvent access controls without any credentials, affecting the integrity and availability of ticketing functionality. Classified under CWE-290 (Authentication Bypass by Spoofing), the CVSS vector confirms PR:N and AV:N - meaning any network-accessible attacker can attempt exploitation with low complexity and no user interaction required. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed active exploitation.

Technical ContextAI

Event Tickets is a WordPress plugin developed by Liquid Web / StellarWP (CPE: cpe:2.3:a:liquid_web_/_stellarwp:event_tickets:*:*:*:*:*:*:*:*) that provides event registration and ticketing capabilities within WordPress environments. The root cause is CWE-290 (Authentication Bypass by Spoofing), a vulnerability class where authentication or access-control decisions rely on data that can be manipulated or forged by an attacker - for example, spoofing a token, cookie value, header, or parameter that the plugin treats as proof of identity or authorization. The unchanged scope (S:U) in the CVSS vector indicates the bypass is confined to the plugin's own trust boundary rather than elevating to WordPress core or the underlying server. The low attack complexity (AC:L) suggests the spoofing mechanism does not require race conditions, timing precision, or additional preconditions beyond crafting a suitable request.

RemediationAI

Update the Event Tickets plugin to a version above 5.27.5 as the primary remediation; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/event-tickets/vulnerability/wordpress-event-tickets-plugin-5-27-5-bypass-vulnerability-vulnerability) should be consulted for the exact patched release version, which was not independently confirmed in the available intelligence data. If an immediate update is not possible, temporarily deactivating the Event Tickets plugin eliminates the attack surface at the cost of losing all event ticketing functionality for the duration of the deferral. As a partial compensating control, deploying a WAF with WordPress plugin-specific rulesets may detect or block spoofed requests targeting the bypass pattern, though this is not a substitute for patching and may introduce false positives on legitimate ticketing traffic. Operators serving a known or internal audience can further restrict access to event ticket endpoints via IP allowlisting, reducing exposure to opportunistic internet-facing exploitation.

Share

CVE-2026-42662 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy