CVE-2026-34898

Vulnerability

An unauthenticated broken access control vulnerability exists in the Event Tickets Manager for WooCommerce plugin for WordPress versions up to and including 1.5.3 [1]. The plugin fails to properly enforce authorization checks, allowing unauthenticated users to perform actions that should require higher privileges [1]. This affects all installations running the affected versions.

Exploitation

An attacker does not need any authentication or prior access to the target WordPress site [1]. The vulnerability can be exploited remotely by sending crafted requests to the affected plugin's functions that lack proper access controls [1]. No user interaction or special network position is required beyond standard internet access.

Impact

Successful exploitation leads to unauthorized access to privileged actions within the plugin, potentially allowing an attacker to modify events, tickets, or other sensitive data [1]. This compromises the integrity and availability of the ticketing system. The CVSS v3 base score is 7.5 (High), indicating significant impact [1].

Mitigation

The vulnerability is fixed in version 1.5.4 of the plugin [1]. Users should update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1]. There are no known workarounds other than updating; if unable to update, users should seek assistance from their hosting provider [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.