Skip to main content

Event Tickets Manager EUVDEUVD-2026-43472

| CVE-2026-57400 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable with no auth or interaction required; impact limited to partial integrity and availability with no confidentiality loss, consistent with unauthorized plugin action invocation.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:26 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in WP Swings Event Tickets Manager for WooCommerce event-tickets-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets Manager for WooCommerce: from n/a through <= 1.5.5.

AnalysisAI

Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable plugin
Delivery
Send unauthenticated HTTP request to plugin endpoint
Exploit
Bypass missing authorization check
Execution
Execute unauthorized privileged action
Impact
Modify event ticket data or disrupt availability

Vulnerability AssessmentAI

Exploitation Per the CVSS vector (PR:N/UI:N/AV:N/AC:L), no authentication and no user interaction are required, and exploitation is feasible from any network location without special conditions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score is supported by a network-accessible (AV:N), low-complexity (AC:L), unauthenticated (PR:N), no-interaction (UI:N) attack profile, with impact capped at limited integrity (I:L) and availability (I:L) - no confidentiality loss is indicated (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running Event Tickets Manager for WooCommerce version 1.5.5 or earlier, then sends a crafted HTTP POST request to the site's WordPress AJAX handler or REST API endpoint exposed by the plugin, bypassing the absent authorization check to invoke a privileged plugin action - such as modifying event ticket availability, altering ticket status, or disrupting the ticketing workflow. No public POC exists at time of analysis, but the low complexity and lack of authentication make this straightforward to exploit once the specific vulnerable endpoint is identified.
Remediation Update the Event Tickets Manager for WooCommerce plugin to a version beyond 1.5.5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy