Cyber Resilience

CVE-2025-68015

CriticalRCE

Published: 22 January 2026

Published
22 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0032 23.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-68015 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-68015 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the WordPress plugin Event Tickets with Ticket Scanner by Vollstart. This issue affects all versions of the plugin from n/a through 2.8.5. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact.

The vulnerability enables remote code execution via code injection. Unauthenticated attackers (PR:N) can exploit it over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with a changed scope (S:C), allowing attackers to execute arbitrary code on the affected WordPress site.

Patchstack provides details on the vulnerability, describing it as a remote code execution issue in versions up to 2.8.5, in their advisory at https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via unauthenticated code injection in public-facing WordPress plugin maps to exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like this code injection vulnerability in the WordPress plugin, directly preventing exploitation through patching.

prevent

Enforces validation and sanitization of information inputs to the system, directly countering code injection attacks by rejecting malformed or malicious inputs targeting the plugin.

preventdetect

Mandates vulnerability scanning and monitoring to identify the specific code injection flaw in the plugin, enabling proactive remediation before attacker exploitation.

References