Unauthorized Ticket Deletion Vulnerability in Tickera WordPress Event Ticketing Plugin

CVE-2024-5860
4.3MEDIUM

Key Information

Vendor
Tickera
Status
Tickera – WordPress Event Ticketing
Vendor
CVE Published:
18 June 2024

Summary

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events.

Affected Version(s)

Tickera – WordPress Event Ticketing <= 3.5.2.8

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published.

  • Disclosed

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database

Credit

Lucio Sá
.