प्लेटफ़ॉर्म
wordpress
घटक
my-tickets
में ठीक किया गया
2.0.17
CVE-2025-3761 describes a Privilege Escalation vulnerability affecting the My Tickets – Accessible Event Ticketing plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their role to administrator, gaining complete control over the WordPress site. This vulnerability impacts versions 0 through 2.0.16, and a patch is available in version 2.0.17.
Successful exploitation of CVE-2025-3761 allows an attacker to bypass standard WordPress access controls. By escalating their role to administrator, the attacker can perform any action on the site, including installing malicious plugins, modifying content, deleting data, and potentially gaining access to sensitive information stored within the WordPress database. This could lead to complete compromise of the website and its associated data. The impact is particularly severe for sites handling sensitive user data or financial transactions, as an attacker could leverage administrator privileges to steal or manipulate this information.
CVE-2025-3761 was publicly disclosed on April 24, 2025. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the plugin's popularity suggest it could become a target. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Websites utilizing the My Tickets – Accessible Event Ticketing plugin, particularly those running versions 0 through 2.0.16, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to lateral movement and exploitation of other sites using the vulnerable plugin.
• wordpress / composer / npm:
grep -r 'mt_save_profile' /var/www/html/wp-content/plugins/my-tickets/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'my-tickets'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status my-tickets• wordpress / composer / npm:
wp plugin version my-ticketsdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.26% (49% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-3761 is to immediately update the My Tickets – Accessible Event Ticketing plugin to version 2.0.17 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider restricting access to the mtsaveprofile() function within the plugin. While not a complete fix, this can limit the attacker's ability to modify roles. Review WordPress user roles and permissions to ensure that no unauthorized users have elevated privileges. After upgrading, verify the fix by attempting to log in as a subscriber and attempting to modify your user role to administrator; the action should be denied.
Actualice el plugin My Tickets – Accessible Event Ticketing a la versión 2.0.17 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la forma en que se gestionan los roles de usuario, evitando que los usuarios con privilegios bajos actualicen sus roles a administrador.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-3761 is a vulnerability in the My Tickets plugin for WordPress allowing authenticated subscribers to escalate to administrator roles, gaining full control of the site.
You are affected if you are using My Tickets plugin versions 0 through 2.0.16. Upgrade immediately to mitigate the risk.
Upgrade the My Tickets plugin to version 2.0.17 or later. If immediate upgrade is not possible, restrict access to the mtsaveprofile() function.
There is currently no confirmed active exploitation, but the ease of exploitation makes it a potential target.
Refer to the official My Tickets plugin website or WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।