Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network action with missing authorization (PR:N, AV:N, AC:L) enables data modification (I:H) but no disclosure or DoS (C:N/A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5.
AnalysisAI
Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network access to a WordPress site running Event Tickets version 5.28.5 or earlier with the plugin active; the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no authentication, no special privileges, and no user interaction are needed against a default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) describes a network-reachable, low-complexity, unauthenticated action requiring no user interaction, which is why the score is 7.5 despite the impact being limited to integrity - there is no data disclosure (C:N) and no denial of service (A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted HTTP request directly to a vulnerable Event Tickets endpoint on a target WordPress site without logging in, invoking a privileged action that lacks an authorization check. Because no authentication or user interaction is required and complexity is low, the attacker can alter ticket, attendee, or RSVP data at scale across exposed sites. … |
| Remediation | No vendor-released patch version is identified in the provided input, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/event-tickets/vulnerability/wordpress-event-tickets-plugin-5-28-5-broken-access-control-vulnerability) and upgrade to the next release above 5.28.5 once the vendor publishes it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, scan all WordPress installations for Event Tickets plugin versions 5.28.5 or earlier to identify scope, and immediately implement Web Application Firewall (WAF) rules or network-level access controls to restrict modifications to plugin administrative functions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Event Tickets
View allCSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticket
The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does
The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from lea
Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capa
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing ca
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all version
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43360