CVE-2025-3761: 
WordPress vulnerability analysis and mitigation

The My Tickets – Accessible Event Ticketing plugin for WordPress contains a privilege escalation vulnerability affecting all versions up to and including 2.0.16. The vulnerability was discovered and disclosed on April 24, 2025, and has been assigned CVE-2025-3761. This security issue impacts WordPress installations that have the My Tickets plugin installed (NVD).

The vulnerability exists in the mtsaveprofile() function which fails to properly restrict access to unauthorized users when updating roles. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-269 (Improper Privilege Management) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to elevate their privileges to that of an administrator. This gives attackers full administrative access to the WordPress site, potentially allowing them to make unauthorized changes to the site's content, settings, and user accounts (NVD).

The vulnerability has been patched in version 2.0.17 of the My Tickets plugin. Site administrators are strongly advised to update to this version immediately. The fix includes additional authorization checks in the mtsaveprofile() function to prevent unauthorized role updates (WordPress Plugin).