Skip to main content

Event Tickets CVE-2026-57705

| EUVDEUVD-2026-43360 HIGH
Missing Authorization (CWE-862)
2026-07-13 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network action with missing authorization (PR:N, AV:N, AC:L) enables data modification (I:H) but no disclosure or DoS (C:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:50 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5.

AnalysisAI

Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Event Tickets ≤5.28.5
Delivery
Send crafted request to unprotected endpoint
Exploit
Bypass missing authorization check
Execution
Perform privileged state-changing action
Impact
Modify ticket/RSVP data without authentication

Vulnerability AssessmentAI

Exploitation Exploitation requires only network access to a WordPress site running Event Tickets version 5.28.5 or earlier with the plugin active; the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no authentication, no special privileges, and no user interaction are needed against a default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) describes a network-reachable, low-complexity, unauthenticated action requiring no user interaction, which is why the score is 7.5 despite the impact being limited to integrity - there is no data disclosure (C:N) and no denial of service (A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request directly to a vulnerable Event Tickets endpoint on a target WordPress site without logging in, invoking a privileged action that lacks an authorization check. Because no authentication or user interaction is required and complexity is low, the attacker can alter ticket, attendee, or RSVP data at scale across exposed sites. …
Remediation No vendor-released patch version is identified in the provided input, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/event-tickets/vulnerability/wordpress-event-tickets-plugin-5-28-5-broken-access-control-vulnerability) and upgrade to the next release above 5.28.5 once the vendor publishes it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, scan all WordPress installations for Event Tickets plugin versions 5.28.5 or earlier to identify scope, and immediately implement Web Application Firewall (WAF) rules or network-level access controls to restrict modifications to plugin administrative functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy