CVE-2025-11517
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-18

Last updated on: 2025-10-21

Assigner: Wordfence

Description
The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-18
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11517
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress event_tickets *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Event Tickets and Registration plugin for WordPress up to version 5.26.5. It allows unauthenticated attackers to bypass payment by exploiting the /wp-json/tribe/tickets/v1/commerce/free/order endpoint, which does not verify if a ticket type should be free. As a result, attackers can obtain paid tickets without paying for them. [1]

Impact Analysis

The vulnerability can lead to a loss of revenue because attackers can obtain paid tickets without making any payment. This unauthorized access to paid tickets can affect the financial integrity of the ticketing system.

Detection Guidance

You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the endpoint /wp-json/tribe/tickets/v1/commerce/free/order. Look for requests that attempt to create orders with paid tickets but bypass payment. For example, using command-line tools like curl or network monitoring tools, you can check for POST requests to this endpoint with non-zero cart totals. A sample curl command to test might be: curl -X POST https://yourwordpresssite.com/wp-json/tribe/tickets/v1/commerce/free/order -d '{"cart": [{"ticket_id": "<paid_ticket_id>", "quantity": 1}]}' -H 'Content-Type: application/json'. If the server processes this without error, it indicates vulnerability. Additionally, inspecting server logs for such requests without corresponding payment can help detect exploitation attempts. [1]

Mitigation Strategies

Immediately update the Event Tickets and Registration WordPress plugin to version 5.26.6 or later. This version includes a fix that adds validation to the free order endpoint, ensuring that only carts with a total of $0.00 can be processed, thereby preventing payment bypass. Until the update is applied, consider restricting access to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint or implementing additional server-side validation to block orders with paid tickets that do not require payment. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart