Unauthenticated Arbitrary Shortcode Execution Vulnerability in Tickera WordPress Event Ticketing Plugin
CVE-2024-10263

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Tickera – WordPress Event Ticketing
Vendor: CVE Published:; 5 November 2024

Summary

The Tickera – WordPress Event Ticketing plugin is susceptible to a vulnerability that permits arbitrary shortcode execution. This flaw exists in all versions up to and including 3.5.4.4. The vulnerability arises from insufficient validation of values before executing do_shortcode, allowing unauthenticated users to run malicious shortcodes. This can lead to unauthorized actions being performed on the application, posing a significant risk to the integrity and security of WordPress sites utilizing this plugin.

Affected Version(s)

Tickera – WordPress Event Ticketing * <= 3.5.4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3179272/tick...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 5, 2024
Vulnerability Reserved
Oct 22, 2024

Credit

Arkadiusz Hydzik