{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32492", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:58.909Z", "dateUpdated": "2026-04-29T09:52:00.702Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-tickets", "product": "My Tickets", "vendor": "Joe Dolson", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "<= 2.1.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi(Poystick) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.421Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.<p>This issue affects My Tickets: from n/a through <= 2.1.1.</p>"}], "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1."}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "Identity Spoofing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.702Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-1-bypass-vulnerability-vulnerability?_s_id=cve"}], "title": "WordPress My Tickets plugin <= 2.1.1 - Bypass Vulnerability vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:33:31.459110Z", "id": "CVE-2026-32492", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:34:28.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:33:31.459110Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:32:34.507Z"}}], "cna": {"title": "WordPress My Tickets plugin <= 2.1.1 - Bypass Vulnerability vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi(Poystick) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "Identity Spoofing"}]}], "affected": [{"vendor": "Joe Dolson", "product": "My Tickets", "versions": [{"status": "affected", "changes": [{"at": "2.1.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.1.1"}], "packageName": "my-tickets", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:37.421Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-1-bypass-vulnerability-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.<p>This issue affects My Tickets: from n/a through <= 2.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:58.909Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32492", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:34:28.982Z", "dateReserved": "2026-03-12T11:12:00.510Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:58.909Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n por suplantaci\u00f3n en Joe Dolson My Tickets my-tickets permite la suplantaci\u00f3n de identidad. Este problema afecta a My Tickets: desde n/a hasta &lt;= 2.1.1."}], "id": "CVE-2026-32492", "lastModified": "2026-04-29T10:17:14.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:00.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-1-bypass-vulnerability-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.1.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "My Tickets", "source": "cna", "vendor": "Joe Dolson"}, "product": "my_tickets", "vendor": "joe_dolson"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T21:41:31.846631+00:00", "value": {"mitigation_remediation": ["Update the My Tickets plugin to the latest available version, ensuring it is greater than\u202f2.1.1.", "If no update is available, disable or remove the plugin from the site to eliminate the vulnerable code.", "Restrict access to the plugin\u2019s administrative endpoints by applying proper role\u2011based access controls.", "Monitor website logs for unusual authentication patterns or unauthorized access attempts."], "summary": {"action": "Patch", "impact": "Identity Spoofing"}, "threat_synthesis": {"affected_systems": "The affected systems are installations of the WordPress My Tickets plugin from Joe Dolson up to and including version\u202f2.1.1. These systems can be running on any WordPress site that has installed the plugin, meaning that the risk is widespread across any site using this plugin version.", "description_and_impact": "The vulnerability is an authentication bypass by spoofing. An attacker can trick the My Tickets plugin into treating an arbitrary user ID as authenticated, effectively impersonating that user. This flaw aligns with CWE\u2011290, broken authentication, and can lead to unauthorized access to sensitive functions such as ticket management or administrative actions.", "risk_and_exploitability": "With a CVSS score of\u202f5.3 and an EPSS below\u202f1\u202f%, the vulnerability presents a moderate severity but is unlikely to see mass exploitation. Based on the description, the likely attack vector is sending a crafted HTTP request to the My Tickets plugin endpoint, which an attacker can perform locally or remotely without privileged access. Attackers can target any site that exposes the plugin\u2019s functions to public or authenticated users. It is inferred that, because the flaw is not listed in the CISA KEV catalog, there has been no widespread exploitation yet, although the issue is actionable."}}}}, "created": "2026-03-25T21:43:36.538581+00:00", "updated": "2026-03-27T09:31:07.414873+00:00", "vendors": ["joe_dolson", "joe_dolson$PRODUCT$my_tickets", "wordpress", "wordpress$PRODUCT$wordpress"]}