Insecure Direct Object Reference in Event Tickets and Registration Plugin for WordPress
CVE-2024-13457
5.3MEDIUM
Key Information:
- Vendor
- Theeventscalendar
- Status
- Event Tickets And Registration
- Vendor
- CVE Published:
- 30 January 2025
Summary
The Event Tickets and Registration plugin for WordPress has a vulnerability that allows unauthenticated users to exploit an insecure direct object reference through the tc-order-id parameter. This vulnerability enables attackers to view sensitive information such as order details, ticket prices, user emails, and the order date for purchases they did not make, due to inadequate validation of user-controlled inputs. It is crucial for website administrators to address this issue promptly by updating to the latest version of the plugin.
Affected Version(s)
Event Tickets and Registration * <= 5.18.1
References
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Whit Taylor