Home

Description

The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.

PUBLISHED Reserved 2025-10-08 | Published 2025-10-18 | Updated 2025-10-18 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

*
affected

Timeline

2025-10-08:Vendor Notified
2025-10-17:Disclosed

Credits

Jack Pas finder

References

www.wordfence.com/...-2a29-4b66-ab7a-8d8b2f85e2e0?source=cve

plugins.trac.wordpress.org/...s/Free/REST/Order_Endpoint.php

cve.org (CVE-2025-11517)

nvd.nist.gov (CVE-2025-11517)

Download JSON