Go back

[CVE-2025-11517] Free Tickets for Sale – How a Logic Error Skips Payment in WordPress Event Tickets

Volerion Research

TL;DR
Event organizers running Event Tickets ≤ 5.26.5 risk giving away paid seats. An unauthenticated request to /wp-json/tribe/tickets/v1/commerce/free/order creates a valid order even when the ticket type is meant to cost money. Updating to 5.26.6 blocks the trick by validating the ticket’s pricing metadata.

1. Summary

CVE ID CVE-2025-11517
Affected Product(s) Event Tickets and Registration for WordPress 5.26.5 and earlier
Volerion Risk Score 7.1 / 10
Exploit Status No public PoC as of publication, but trivial to reproduce with curl
CISA KEV No

The plugin’s “free” commerce gateway assumes every incoming order targets a free ticket and therefore skips price validation and payment processing. Because the endpoint is exposed through WordPress’s unauthenticated REST API, anyone on the internet can claim as many tickets as inventory allows. Confidentiality remains intact, yet integrity and business logic suffer—organizers lose revenue and attendee data becomes unreliable.

2. Context – Why this bug is more than a nuisance

Event Tickets powers registration workflows for conferences, concerts, webinars and even charity fund-raisers. With more than 100 000 active installations it sits in the sweet spot where high adoption meets frequent public exposure, since event pages are by nature shared widely. A successful exploit undermines the trust relationship between organizer and customer and may lead to oversold venues, compliance headaches and charge-back disputes when payment processors flag mismatched orders.

On sites that bundle premium add-ons like Event Tickets Plus the damage grows. The plugin can inject order data into WooCommerce, trigger QR code generation and allocate individual seat maps. Once an attacker reserves tickets without paying, real customers see them as sold out, which translates to an opportunity cost even for events that do not charge at the door.

3. Technical Details – Digging into the REST endpoint

The vulnerable code lives in src/Tickets/Commerce/Gateways/Free/REST/Order_Endpoint.php. The handler behind
/wp-json/tribe/tickets/v1/commerce/free/order performs the following steps:

  1. Accepts a JSON payload containing ticket_id, quantity and attendee metadata.
  2. Instantiates an order object using the free commerce gateway class.
  3. Immediately marks the order as complete without checking whether the chosen ticket_id is classified as free in post meta.

Because the gateway class is bound to the free namespace, the developer likely assumed it would only ever receive zero-cost tickets. In reality nothing stops a client from referencing any ticket post ID. The server never calls the helper that verifies is_ticket_free() or inspects the _tribe_ticket_stock price field. After success the plugin:

Creating an order requires no cookies or nonces, so the exploit can be fired off-site with a single POST request:

curl -X POST https://victim.site/wp-json/tribe/tickets/v1/commerce/free/order \
  -H "Content-Type: application/json" \
  -d '{"ticket_id":1234,"quantity":2,"attendees":[{"email":"attacker@example.com"}]}'

The patch shipped in version 5.26.6 adds a guard clause:

if ( ! $ticket->is_free() ) {
    return new \WP_Error( 'ticket_not_free', __( 'Ticket requires payment', 'event-tickets' ), [ 'status' => 403 ] );
}

The endpoint now aborts with a 403 unless the ticket’s _price field equals zero.

4. Impact – Money lost and metrics skewed

The most direct consequence is revenue loss. Every ticket obtained through the flaw is money the organizer never receives. For free-entry events that rely on headcount to manage catering or space, a sudden surge of bogus reservations leads to wasted resources or dissatisfied patrons turned away at the door.

Because the plugin also interacts with WooCommerce’s inventory tables and optional QR code check-in, admins may see reconciliation errors when scanning tickets at the venue. Fraudulent orders are indistinguishable from legitimate ones unless staff cross-checks the transaction logs manually.

From a security standpoint, attackers do not gain code execution or database access, but the business logic abuse can still qualify for a high CVSS score thanks to widespread deployment and the absence of authentication.

5. Remediation – How to close the gap

Update Event Tickets to 5.26.6 or any later version. The vendor’s changelog lists no breaking database migrations, so applying the patch is a routine plugin upgrade through the WordPress dashboard or wp plugin update event-tickets.

If an immediate upgrade is impossible, short-term mitigations include:

These workarounds lower convenience for genuine users and should remain temporary.

6. Timeline

Date (UTC)Milestone
2025-10-18 07:15CVE-2025-11517 published
2025-10-18 07:18Volerion enrichment and risk score released

7. References

About Volerion

Volerion delivers AI-driven enrichment minutes after a CVE goes live. A single call to our REST API returns CVSS 4.0 vectors, exploitability metrics and affected products complete with remediation. Additionally, we offer different scoring profiles, complete with insight into the eight comprehensive categories that make up the final score. Our API is also available in the tradditional NVD API 2.0 format, so integration is as simple as swapping hosts. Spend less time parsing CVEs and more time closing them.

How the Volerion Risk Score Fits With CVSS, EPSS and KEV

At the time of writing:

The Volerion Risk Score of 7.1 blends these inputs with real-world context such as install base, exploit maturity and patch effort, providing a priority figure that security teams can act on immediately.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
[CVE-2025-32433] Erlang/OTP SSH Authentication Bypass Gives Attackers a Direct Shell