CVE-2025-62027 MEDIUM

CVE-2025-62027: WordPress Event Tickets plugin <= 5.26.3 - Broken Access Control vulnerability

Vendor Stellarwp

Product Event Tickets

Weakness CWE-862 · Missing authorization

Published October 22, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3.

Explanation of Vulnerability in Simple Terms

02Summary

Event Tickets versions up to 5.26.3 lack proper authorization checks, allowing authenticated users to read and modify data they should not have access to. An attacker with a low-privilege account can view or alter sensitive event information without the site owner's permission. Update to a version newer than 5.26.3 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read and modify event data belonging to other users or restricted events.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter event information, compromising data integrity and privacy.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site; no user interaction required.

Key dates

06Disclosure timeline

October 22, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62027 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities