CVE-2026-34898: WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.3 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control vulnerability in the Event Tickets Manager for WooCommerce WordPress plugin, affecting all versions up to and including 1.5.3. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to make unauthorized modifications to data managed by the plugin, such as ticket records, event configurations, or order-related information. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-34898 is available across every HarborGuard environment. Ingestion from upstream advisory feeds, including Patchstack, occurs within minutes of publication, and matching against customer images runs automatically across both registry-stored and pipeline-built images, including custom WordPress images that bundle this plugin.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published by the upstream vendor for this plugin. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or session credential of any kind is needed to trigger the access control bypass.
- Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator.
- Attack complexityDetail
Exploit reliability is high with no race conditions or special environmental factors required; a straightforward request is sufficient.
Blast Radius
- An attacker can make unauthorized writes to plugin-managed data, including ticket records, event settings, and associated WooCommerce order metadata.
- Access controls protecting privileged plugin actions are bypassed, allowing an unauthenticated party to perform operations normally restricted to administrators or store managers.
- Integrity of ticket inventory and event configuration is compromised, which can directly affect event sales, attendee records, and downstream order processing.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active across customer environments and will flag any image containing Event Tickets Manager for WooCommerce at version 1.5.3 or below. Because no upstream fix has been published yet, patched-image rebuild is not yet possible. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a rebuild and, for customers with auto-remediation enabled, open a patch PR against affected workloads as soon as a fix version is released. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the WordPress admin and plugin API endpoints, web application firewall rules that block unauthorized requests to affected routes, and review of whether the plugin's functionality needs to remain active on public-facing instances until a patch is available.
- WP Swings / Event Tickets Manager for WooCommerce≤ 1.5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N