Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1.
AnalysisAI
My Tickets plugin version 2.1.1 and earlier contains an authentication bypass vulnerability that allows unauthenticated attackers to spoof user identities and gain unauthorized access to ticket systems. The vulnerability requires no user interaction and can be exploited remotely by any network-connected attacker. Currently, no patch is available for this medium-severity issue affecting installations of this WordPress plugin.
Technical ContextAI
My Tickets is a WordPress plugin (identified via CPE cpe:2.3:a:joe_dolson:my_tickets:*:*:*:*:*:*:*:*) that manages ticket-based support systems. The vulnerability stems from inadequate identity verification mechanisms, falling under CWE-290 (Authentication Bypass by Spoofing), which describes flaws where an application fails to properly verify that a user is who they claim to be. Rather than relying on cryptographic authentication tokens or session management, the plugin likely uses insufficient validation of user-supplied identity information, such as user IDs, email addresses, or custom headers that can be trivially forged by an attacker. This allows an attacker to submit requests that claim to represent an authenticated user without proving ownership of that identity.
RemediationAI
Administrators should immediately upgrade the My Tickets plugin to a version newer than 2.1.1 if a patched version is available; consult the Patchstack database and Joe Dolson's official plugin repository for the latest secure release. Until a patch can be deployed, disable or restrict access to the My Tickets plugin functionality through WordPress security plugins or web application firewalls, limit plugin access to administrator-only roles, and monitor access logs for suspicious identity-spoofing attempts. Consider temporarily moving critical ticketing systems to alternative platforms while patching is validated. Ensure all user sessions are invalidated and re-authenticated after patch deployment.
More in My Tickets
View allSame weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15834
GHSA-gwqv-8w5x-v6cp