CVE-2025-11517
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | event_tickets | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Event Tickets and Registration plugin for WordPress up to version 5.26.5. It allows unauthenticated attackers to bypass payment by exploiting the /wp-json/tribe/tickets/v1/commerce/free/order endpoint, which does not verify if a ticket type should be free. As a result, attackers can obtain paid tickets without paying for them. [1]
How can this vulnerability impact me? :
The vulnerability can lead to a loss of revenue because attackers can obtain paid tickets without making any payment. This unauthorized access to paid tickets can affect the financial integrity of the ticketing system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the endpoint /wp-json/tribe/tickets/v1/commerce/free/order. Look for requests that attempt to create orders with paid tickets but bypass payment. For example, using command-line tools like curl or network monitoring tools, you can check for POST requests to this endpoint with non-zero cart totals. A sample curl command to test might be: curl -X POST https://yourwordpresssite.com/wp-json/tribe/tickets/v1/commerce/free/order -d '{"cart": [{"ticket_id": "<paid_ticket_id>", "quantity": 1}]}' -H 'Content-Type: application/json'. If the server processes this without error, it indicates vulnerability. Additionally, inspecting server logs for such requests without corresponding payment can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediately update the Event Tickets and Registration WordPress plugin to version 5.26.6 or later. This version includes a fix that adds validation to the free order endpoint, ensuring that only carts with a total of $0.00 can be processed, thereby preventing payment bypass. Until the update is applied, consider restricting access to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint or implementing additional server-side validation to block orders with paid tickets that do not require payment. [1]