Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AC:L, UI:N); advisory describes unauthorized state modification only, so C:N/I:H/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
AnalysisAI
Broken access control in the Event Tickets Manager for WooCommerce WordPress plugin (versions up to and including 1.5.3) allows remote unauthenticated attackers to perform restricted actions or modify data without proper authorization checks. The flaw stems from a missing authorization layer (CWE-862) on one or more plugin endpoints, making it reachable directly over HTTP by anyone who can talk to the WordPress site. No public exploit has been identified at time of analysis, but the vulnerability was reported by Patchstack and is tracked under EUVD-2026-36920.
Technical ContextAI
The affected component is the WP Swings 'Event Tickets Manager for WooCommerce' plugin, which extends WooCommerce to sell and manage event tickets on WordPress sites. The root cause is CWE-862 (Missing Authorization): one or more plugin actions (likely AJAX or REST endpoints typical of WooCommerce extensions) fail to verify the caller's capability or nonce before executing, so logic that should be gated to administrators or ticket owners is exposed to anonymous callers. The CPE 'cpe:2.3:a:wp_swings:event_tickets_manager_for_woocommerce' confirms the WP Swings vendor namespace; all branches at or below 1.5.3 are in scope.
RemediationAI
No fixed version is published in the available data, so the status is best described as no vendor-released patch identified at time of analysis; site operators should monitor the Patchstack advisory and the WordPress.org plugin page for a release above 1.5.3 and upgrade as soon as it is published. As compensating controls, restrict access to the plugin's admin-ajax.php and REST endpoints (typically /wp-admin/admin-ajax.php and /wp-json/<plugin-namespace>/*) via a WAF rule or Patchstack vPatch, which may block legitimate front-end ticket flows and should be tested; alternatively, deactivate the plugin entirely if event sales are not currently in use, accepting the loss of ticketing functionality. Sites with strong concerns can also IP-allowlist the WordPress admin and block anonymous POSTs to plugin-specific actions, at the cost of breaking any public-facing ticket purchase or registration that the plugin handles unauthenticated.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36920
GHSA-f829-v66j-cjfv