1 results (0.002 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

The Tickera WordPress plugin before 3.5.2.5 does not prevent users from leaking other users' tickets. El complemento Tickera WordPress anterior a 3.5.2.5 no impide que los usuarios filtren los tickets de otros usuarios. The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.5.2.4 via the order_key parameter due to missing validation on the user controlled key. This makes it possible for unauthenticated attackers to view other users tickets • https://wpscan.com/vulnerability/c452c5da-05a6-4a14-994d-e5049996d496 • CWE-639: Authorization Bypass Through User-Controlled Key •