Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable with no auth or interaction required; impact limited to partial integrity and availability with no confidentiality loss, consistent with unauthorized plugin action invocation.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in WP Swings Event Tickets Manager for WooCommerce event-tickets-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets Manager for WooCommerce: from n/a through <= 1.5.5.
AnalysisAI
Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Per the CVSS vector (PR:N/UI:N/AV:N/AC:L), no authentication and no user interaction are required, and exploitation is feasible from any network location without special conditions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score is supported by a network-accessible (AV:N), low-complexity (AC:L), unauthenticated (PR:N), no-interaction (UI:N) attack profile, with impact capped at limited integrity (I:L) and availability (I:L) - no confidentiality loss is indicated (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Event Tickets Manager for WooCommerce version 1.5.5 or earlier, then sends a crafted HTTP POST request to the site's WordPress AJAX handler or REST API endpoint exposed by the plugin, bypassing the absent authorization check to invoke a privileged plugin action - such as modifying event ticket availability, altering ticket status, or disrupting the ticketing workflow. No public POC exists at time of analysis, but the low complexity and lack of authentication make this straightforward to exploit once the specific vulnerable endpoint is identified. |
| Remediation | Update the Event Tickets Manager for WooCommerce plugin to a version beyond 1.5.5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43472