VYPR

Event Tickets

by WordPress

Source repositories

CVEs (9)

  • CVE-2025-30794HigApr 1, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Event Tickets event-tickets allows Reflected XSS.This issue affects Event Tickets: from n/a through <= 5.20.0.

  • CVE-2026-42662MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.

  • CVE-2025-11517HigOct 18, 2025
    risk 0.42cvss 7.5epss 0.00

    The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to…

  • CVE-2025-62027MedOct 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3.

  • CVE-2024-38762MedJan 2, 2025
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in StellarWP Event Tickets event-tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through <= 5.11.0.4.

  • CVE-2024-1053MedFeb 22, 2024
    risk 0.21cvss 4.3epss 0.00

    The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level…

  • CVE-2024-1319Mar 4, 2024
    risk 0.00cvss epss 0.00

    The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. (e.g. draft, private, pending review, password-protected, and trashed posts).

  • CVE-2021-25028Jan 24, 2022
    risk 0.00cvss epss 0.02

    The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue

  • CVE-2019-16120Sep 8, 2019
    risk 0.00cvss epss 0.03

    CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.