CVE-2025-3761 HIGH

CVE-2025-3761: My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation

Vendor Joedolson
Product My Tickets – Accessible Event Ticketing
Weakness CWE-269
Published April 24, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.

Explanation of Vulnerability in Simple Terms

02Summary

My Tickets allows authenticated users with low privileges to perform actions restricted to higher-privilege roles. An attacker with a standard user account can read sensitive event data, modify ticket information, and disrupt ticketing operations. The vulnerability stems from insufficient privilege checks in the plugin's access control logic.

What an attacker can do

03Attacker Capabilities

Read event data, modify tickets, and disrupt ticketing operations with a low-privilege user account.

Potential impact on your site

04Site Impact

Ticket data and event information can be accessed or modified by unauthorized users; ticketing operations may be disrupted.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low privileges on the site.

Key dates

06Disclosure timeline

April 24, 2025 CVE published
April 8, 2026 Record updated