The Event Tickets and Registration plugin for WordPress, widely used for managing event ticketing and registrations, contains a vulnerability identified as CVE-2025-1402. This vulnerability is classified under CWE-862, indicating a missing authorization check. Specifically, the 'ajax_ticket_delete' function lacks proper capability verification, allowing authenticated users with Contributor-level permissions or higher to delete attendee tickets arbitrarily. Since Contributor roles are common in WordPress sites for content creation, this vulnerability expands the attack surface beyond administrators. The flaw affects all versions up to and including 5.19.1.1. The vulnerability does not require user interaction and can be exploited remotely via network access. The CVSS 3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating no confidentiality or availability impact but a loss of integrity. No patches or fixes have been linked yet, and no known exploits have been observed in the wild. The vulnerability could be leveraged to disrupt event operations by deleting tickets, potentially causing confusion and loss of trust in event management systems.

This vulnerability primarily impacts the integrity of event ticket data by allowing unauthorized deletion of attendee tickets. Organizations relying on the Event Tickets and Registration plugin for managing events could face operational disruptions, including loss of ticket records, attendee confusion, and potential financial losses due to ticket mismanagement. While confidentiality and availability remain unaffected, the integrity breach could undermine trust in event management processes and complicate audit trails. Attackers with Contributor-level access, which is a relatively low privilege level, can exploit this flaw, increasing the risk of insider threats or compromised accounts being used maliciously. The scope includes any WordPress site using this plugin, which is significant given WordPress's large market share in content management systems worldwide.

To mitigate this vulnerability, organizations should immediately restrict Contributor-level permissions to trusted users only and audit existing user roles to minimize unnecessary elevated privileges. Implementing a Web Application Firewall (WAF) with custom rules to monitor and block unauthorized 'ajax_ticket_delete' requests can provide temporary protection. Administrators should monitor logs for suspicious ticket deletion activities and enforce multi-factor authentication to reduce the risk of account compromise. Since no official patch is currently available, consider disabling or replacing the Event Tickets and Registration plugin with alternative solutions until a fix is released. Additionally, site owners should subscribe to vendor advisories for timely updates and apply patches promptly once available. Conducting regular backups of event data will also help recover from any unauthorized deletions.