{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32492", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:58.909Z", "dateUpdated": "2026-03-25T16:14:58.909Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-tickets", "product": "My Tickets", "vendor": "Joe Dolson", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "<= 2.1.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi(Poystick) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.421Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.<p>This issue affects My Tickets: from n/a through <= 2.1.1.</p>"}], "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1."}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "Identity Spoofing"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:58.909Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-1-bypass-vulnerability-vulnerability?_s_id=cve"}], "title": "WordPress My Tickets plugin <= 2.1.1 - Bypass Vulnerability vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1."}], "id": "CVE-2026-32492", "lastModified": "2026-03-25T17:17:00.827", "metrics": {}, "published": "2026-03-25T17:17:00.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-1-bypass-vulnerability-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:35:31.217062+00:00", "value": {"mitigation_remediation": ["Upgrade the My Tickets plugin to the latest version (recommended\u202f2.1.2 or newer).", "After the update, confirm that the authentication flow works normally and no unauthorized accounts are in use.", "If an update is not immediately available, consider disabling or uninstalling the plugin until a patch is released.", "Perform a security audit to identify any accounts that may have been created or used through the bypass."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass \u2013 Identity Spoofing"}, "threat_synthesis": {"affected_systems": "The plugin is distributed by Joe Dolson under the My Tickets brand. All releases up to and including version 2.1.1 \u2013 i.e., from the initial release through 2.1.1 \u2013 are affected. Any WordPress site that hosts these plugin versions is susceptible.", "description_and_impact": "The My Tickets plugin for WordPress contains a flaw that permits an attacker to spoof the authentication identity of another user. This flaw enables the malicious actor to assume the privileges of any account that exists on the site, creating a serious confidentiality and integrity risk to the application and its data. The weakness is a classic authentication bypass, classified as CWE\u2011290.", "risk_and_exploitability": "Because the vulnerability resides in the plugin\u2019s login or user\u2011management interface, an attacker can trigger it without needing administrative privileges. The public nature of WordPress sites greatly increases the exposure, and the lack of any known patches or mitigations in the provided data points to a high risk. No CVSS or EPSS scores are available, and the vulnerability is not listed in the KEV catalogue, yet the ability to impersonate users remains a serious threat."}}}}, "created": "2026-03-25T21:43:36.538581+00:00", "updated": "2026-03-25T21:43:36.538605+00:00", "vendors": []}