[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fErT6Q2pq-jBZRIKCtjgXE8MOwYEEfEOVqNs5j4gTH1Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":20,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-42662","event-tickets-and-registration-missing-authorization-2","Event Tickets and Registration \u003C= 5.27.5 - Missing Authorization","The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.27.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","event-tickets",null,"\u003C=5.27.5","5.27.6.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-02 00:00:00","2026-05-04 14:01:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F438dfea4-21f1-4796-9c1b-81aebd8842f2?source=api-prod",3,[22,23,24,25,26,27,28,29],"changelog.md","common\u002Fvendor\u002Fvendor-prefixed\u002Fautoload.php","common\u002Fvendor\u002Fvendor-prefixed\u002Fcomposer\u002Fautoload_real.php","common\u002Fvendor\u002Fvendor-prefixed\u002Fcomposer\u002Fautoload_static.php","event-tickets.php","readme.txt","src\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php","src\u002FTickets\u002FCommerce\u002FGateways\u002FSquare\u002FREST\u002FOrder_Endpoint.php","researched",false,"This research plan targets **CVE-2026-42662**, a missing authorization vulnerability in the **Event Tickets and Registration** plugin. The vulnerability allows unauthenticated attackers to manipulate orders via the plugin's REST API endpoints for PayPal and Square commerce gateways.\n\n### 1. Vulnerability Summary\nThe `Order_Endpoint` classes for both PayPal and Square gateways register REST API routes with `'permission_callback' => '__return_true'`. This explicitly allows unauthenticated access to the endpoints. While unauthenticated order *creation* is often intended for guest checkouts, the endpoints for *updating* and *deleting* (failing) orders also use the same permissive callback without secondary ownership or capability checks within the handler functions.\n\n### 2. Attack Vector Analysis\n*   **Endpoints:**\n    *   PayPal: `DELETE \u002Fwp-json\u002Ftec\u002Fv1\u002Fcommerce\u002Fpaypal\u002Forder\u002F{order_id}`\n    *   PayPal: `POST \u002Fwp-json\u002Ftec\u002Fv1\u002Fcommerce\u002Fpaypal\u002Forder\u002F{order_id}`\n    *   Square: `DELETE \u002Fwp-json\u002Ftec\u002Fv1\u002Fcommerce\u002Fsquare\u002Forder\u002F{order_id}`\n*   **Vulnerable Parameter:** `order_id` (Gateway-specific order identifier string).\n*   **Authentication:** None required (`PR:N`).\n*   **Preconditions:** \n    1.  The \"Tickets Commerce\" feature must be enabled.\n    2.  The PayPal or Square gateway must be configured.\n    3.  A valid Gateway Order ID must be known (can be obtained by initiating a guest order).\n\n### 3. Code Flow\n1.  **Registration:** In `src\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php`, the `register()` method","The Event Tickets and Registration plugin for WordPress fails to properly restrict access to its PayPal and Square order management REST API endpoints. Unauthenticated attackers can exploit this by sending requests to update or cancel orders using valid gateway order IDs, leading to unauthorized order state manipulation and the potential leak of sensitive order data through verbose error responses.","\u002F\u002F src\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php\n\npublic function register() {\n    $namespace     = tribe( 'tickets.rest-v1.main' )->get_events_route_namespace();\n    $documentation = tribe( 'tickets.rest-v1.endpoints.documentation' );\n\n    register_rest_route(\n        $namespace,\n        $this->get_endpoint_path(),\n        [\n            'methods'             => WP_REST_Server::CREATABLE,\n            'args'                => $this->create_order_args(),\n            'callback'            => [ $this, 'handle_create_order' ],\n            'permission_callback' => '__return_true', \u002F\u002F Vulnerable permission check\n        ]\n    );\n\n    register_rest_route(\n        $namespace,\n        $this->get_endpoint_path() . '\u002F(?P\u003Corder_id>[0-9a-zA-Z]+)',\n        [\n            'methods'             => WP_REST_Server::CREATABLE,\n            'args'                => $this->update_order_args(),\n            'callback'            => [ $this, 'handle_update_order' ],\n            'permission_callback' => '__return_true', \u002F\u002F Vulnerable permission check\n        ]\n    );\n\n    register_rest_route(\n        $namespace,\n        $this->get_endpoint_path() . '\u002F(?P\u003Corder_id>[0-9a-zA-Z]+)',\n        [\n            'methods'             => WP_REST_Server::DELETABLE,\n            'args'                => $this->fail_order_args(),\n            'callback'            => [ $this, 'handle_fail_order' ],\n            'permission_callback' => '__return_true', \u002F\u002F Vulnerable permission check\n        ]\n    );\n\n    $documentation->register_documentation_provider( $this->get_endpoint_path(), $this );\n}\n\n---\n\n\u002F\u002F src\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php\n\n\u002F\u002F Error responses leak the $order object or gateway payloads to unauthenticated users\nif ( ! $order ) {\n    return new WP_Error( 'tec-tc-gateway-paypal-failed-creating-order', $messages['failed-creating-order'], $order );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fevent-tickets\u002F5.27.6\u002Fsrc\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fevent-tickets\u002F5.27.6.1\u002Fsrc\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fevent-tickets\u002F5.27.6\u002Fsrc\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php\t2025-10-28 17:43:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fevent-tickets\u002F5.27.6.1\u002Fsrc\u002FTickets\u002FCommerce\u002FGateways\u002FPayPal\u002FREST\u002FOrder_Endpoint.php\t2026-04-15 17:14:58.000000000 +0000\n@@ -122,7 +125,7 @@\n \t\t$order = tribe( Order::class )->create_from_cart( tribe( Gateway::class ), $purchaser );\n \n \t\tif ( ! $order ) {\n-\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-failed-creating-order', $messages['failed-creating-order'], $order );\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-failed-creating-order', $messages['failed-creating-order'] );\n \t\t}\n \n \t\t$unit = [\n@@ -152,7 +155,7 @@\n \t\t$paypal_order = tribe( Client::class )->create_order( $unit );\n \n \t\tif ( empty( $paypal_order['id'] ) || empty( $paypal_order['create_time'] ) ) {\n-\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-failed-creating-order', $messages['failed-creating-order'], $order );\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-failed-creating-order', $messages['failed-creating-order'] );\n \t\t}\n \n \t\t$debug_header = tribe( Client::class )->get_debug_header();\n@@ -327,7 +331,10 @@\n \t\t\t\t'gateway_payload' => $paypal_capture_response,\n \t\t\t] );\n \n-\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-failed-capture', $messages['failed-capture'], $paypal_capture_response );\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-failed-capture', $messages['failed-capture'], [\n+\t\t\t\t'name'    => Arr::get( $paypal_capture_response, 'name' ),\n+\t\t\t\t'details' => Arr::get( $paypal_capture_response, 'details', [] ),\n+\t\t\t] );\n \t\t}\n \n \t\t$response['success']  = true;\n@@ -382,7 +390,7 @@\n \t\t$status = tribe( Status::class )->convert_to_commerce_status( $paypal_order_status );\n \n \t\tif ( ! $status ) {\n-\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-invalid-capture-status', $messages['invalid-capture-status'], $paypal_order_response );\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-invalid-capture-status', $messages['invalid-capture-status'] );\n \t\t}\n \n \t\t$updated = tribe( Order::class )->modify_status( $order->ID, $status->get_slug(), [\n@@ -432,7 +441,7 @@\n \t\t$messages = $this->get_error_messages();\n \n \t\tif ( ! $order ) {\n-\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-nonexistent-order-id', null, $order );\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-nonexistent-order-id', null );\n \t\t}\n \n \t\t$failed_reason = $request->get_param( 'failed_reason' );\n@@ -441,13 +450,16 @@\n \t\t\t$failed_status = 'not-completed';\n \t\t}\n \n+\t\t$allowed_failure_statuses = [ Not_Completed::SLUG, Denied::SLUG, Voided::SLUG ];\n+\n+\t\tif ( ! in_array( $failed_status, $allowed_failure_statuses, true ) ) {\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-invalid-failed-status', null );\n+\t\t}\n+\n \t\t$status = tribe( Status_Handler::class )->get_by_slug( $failed_status );\n \n \t\tif ( ! $status ) {\n-\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-invalid-failed-status', null, [\n-\t\t\t\t'failed_status' => $failed_status,\n-\t\t\t\t'failed_reason' => $failed_reason\n-\t\t\t] );\n+\t\t\treturn new WP_Error( 'tec-tc-gateway-paypal-invalid-failed-status', null );\n \t\t}","An unauthenticated attacker can exploit this vulnerability by targeting the REST API endpoints registered for the Tickets Commerce PayPal and Square gateways. The attacker first obtains a valid Gateway Order ID (for example, by initiating a guest checkout session). Using this ID, the attacker sends a DELETE request to `\u002Fwp-json\u002Ftec\u002Fv1\u002Fcommerce\u002Fpaypal\u002Forder\u002F{order_id}` or its Square equivalent. Because the endpoints use `__return_true` as a permission callback and lack secondary ownership checks, the request is processed, allowing the attacker to force the order into a failure state (e.g., 'denied' or 'voided'). Furthermore, by purposefully sending malformed requests, the attacker can trigger error responses that include serialized Order objects or gateway payloads, exposing sensitive internal transaction data.","gemini-3-flash-preview","2026-05-04 17:01:45","2026-05-04 17:02:41",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.27.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-tickets\u002Ftags\u002F5.27.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fevent-tickets.5.27.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-tickets\u002Ftags\u002F5.27.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fevent-tickets.5.27.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-tickets\u002Ftags"]