Unauthorized Data Modification in Tickera Plugin for WordPress
CVE-2025-12356
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 18 February 2026
What is CVE-2025-12356?
The Tickera β Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized data alterations due to the absence of adequate capability checks on the 'wp_ajax_change_ticket_status' AJAX endpoint. This flaw affects all versions up to and including 3.5.6.4, enabling authenticated attackers with Subscriber-level access and above to modify the statuses of posts and events, potentially leading to misuse and unauthorized control over events data.
Affected Version(s)
Tickera β Sell Tickets & Manage Events 0 <= 3.5.6.4