CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47440 – WordPress My Tickets Plugin <= 1.9.10 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47440
04 Jan 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Tickets plugin <= 1.9.10 versions. The My Tickets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.10. This is due to missing or incorrect nonce validation on several of its functions including mt_reports_page and mt_import_settings. This makes it possible for unauthenticated attackers to send mass-emails to users and import new plugin settings, via forged request granted they can tric... • https://patchstack.com/database/vulnerability/my-tickets/wordpress-my-tickets-plugin-1-9-10-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24796 – My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24796
18 Oct 2021 — The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins El plugin My Tickets de WordPress versiones anteriores a 1.8.31, no sanea y escapa correctamente del campo Email de los tickets reservados antes de mostrarlo en el panel de administración de pagos, que podría permitir a usuarios no autenticados l... • https://wpscan.com/vulnerability/d973dc0f-3cb4-408d-a8b0-01abeb9ef951 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •