CVE-2021-25028: 
WordPress vulnerability analysis and mitigation

The Event Tickets WordPress plugin before version 5.2.2 contains an open redirect vulnerability (CVE-2021-25028) discovered by Krzysztof Zając and disclosed on December 22, 2021. The vulnerability affects the plugin's handling of the tribeticketsredirect_to parameter, which lacks proper validation before redirecting users (WPScan).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 6.1. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requires no privileges (PR:N), needs user interaction (UI:R), and has a changed scope (S:C) with low impact on both confidentiality and integrity. The vulnerability is tracked as CWE-601 and falls under the OWASP Top 10 category A1: Injection (WPScan, AttackerKB).

When exploited, this vulnerability allows an attacker to perform arbitrary redirects by manipulating the tribeticketsredirect_to parameter. This could potentially be used in phishing attacks by redirecting users to malicious websites (WPScan).

The vulnerability has been fixed in Event Tickets version 5.2.2. Users are advised to update to this version or later to mitigate the risk (WPScan).