Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-accessible with no authentication required (PR:N, AV:N); spoofing bypass yields only limited integrity and availability impact, no data disclosure.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.
AnalysisAI
Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP) allows remote attackers to circumvent access controls without any credentials, affecting the integrity and availability of ticketing functionality. Classified under CWE-290 (Authentication Bypass by Spoofing), the CVSS vector confirms PR:N and AV:N - meaning any network-accessible attacker can attempt exploitation with low complexity and no user interaction required. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed active exploitation.
Technical ContextAI
Event Tickets is a WordPress plugin developed by Liquid Web / StellarWP (CPE: cpe:2.3:a:liquid_web_/_stellarwp:event_tickets:*:*:*:*:*:*:*:*) that provides event registration and ticketing capabilities within WordPress environments. The root cause is CWE-290 (Authentication Bypass by Spoofing), a vulnerability class where authentication or access-control decisions rely on data that can be manipulated or forged by an attacker - for example, spoofing a token, cookie value, header, or parameter that the plugin treats as proof of identity or authorization. The unchanged scope (S:U) in the CVSS vector indicates the bypass is confined to the plugin's own trust boundary rather than elevating to WordPress core or the underlying server. The low attack complexity (AC:L) suggests the spoofing mechanism does not require race conditions, timing precision, or additional preconditions beyond crafting a suitable request.
RemediationAI
Update the Event Tickets plugin to a version above 5.27.5 as the primary remediation; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/event-tickets/vulnerability/wordpress-event-tickets-plugin-5-27-5-bypass-vulnerability-vulnerability) should be consulted for the exact patched release version, which was not independently confirmed in the available intelligence data. If an immediate update is not possible, temporarily deactivating the Event Tickets plugin eliminates the attack surface at the cost of losing all event ticketing functionality for the duration of the deferral. As a partial compensating control, deploying a WAF with WordPress plugin-specific rulesets may detect or block spoofed requests targeting the bypass pattern, though this is not a substitute for patching and may introduce false positives on legitimate ticketing traffic. Operators serving a known or internal audience can further restrict access to event ticket endpoints via IP allowlisting, reducing exposure to opportunistic internet-facing exploitation.
More in Event Tickets
View allCSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticket
The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does
The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from lea
Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenti
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capa
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing ca
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all version
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36827
GHSA-qx6m-5r77-fx53