Payment Bypass Vulnerability in Event Tickets and Registration Plugin for WordPress
CVE-2025-11517

7.5HIGH

Key Information:

Vendor: WordPress
Status: Event Tickets And Registration
Vendor: CVE Published:; 18 October 2025

What is CVE-2025-11517?

The Event Tickets and Registration plugin for WordPress has a flaw that allows unauthenticated users to exploit the /wp-json/tribe/tickets/v1/commerce/free/order endpoint. This endpoint fails to verify if a ticket type is legitimately free, enabling malicious actors to circumvent payment processes and gain unauthorized access to paid tickets. This vulnerability presents a significant revenue loss risk for the affected entities.

Affected Version(s)

Event Tickets and Registration * <= 5.26.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3378214/even...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2025
Vulnerability Reserved
Oct 8, 2025

Credit

Jack Pas

JSON