CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1402 – Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion
https://notcve.org/view.php?id=CVE-2025-1402
13 Feb 2025 — The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets. • https://plugins.trac.wordpress.org/browser/event-tickets/tags/5.18.1/src/Tribe/Assets.php#L202 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13457 – Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-13457
29 Jan 2025 — The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3229935%40event-tickets%2Ftags%2F5.18.1.1&old=3227011%40event-tickets%2Ftags%2F5.18.1 • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2261 – Event Tickets and Registration <= 5.8.2 - Improper Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2024-2261
26 Mar 2024 — The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses. El complemento Event Tickets and Registration para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 5.8.2 incluida a través de la fun... • https://plugins.trac.wordpress.org/changeset?old_path=/event-tickets/tags/5.8.2&old=3059268&new_path=/event-tickets/tags/5.8.3&new=3059268&sfp_email=&sfph_mail= • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1053 – Event Tickets and Registration <= 5.8.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-1053
21 Feb 2024 — The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves. El complemento Event Tickets and Registration para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la acción 'e... • https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •