CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5860 – Tickera <= 3.5.2.8 - Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion
https://notcve.org/view.php?id=CVE-2024-5860
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events. El complemento Tickera – WordPress Event Ticketing para WordPress es vulnerable a la pérdida no autorizada de datos debido a una falta de verificación de capacidad en la acción tc_dl_delete_tickets AJAX en todas las versiones hasta la 3.5.2.8 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todos los tickets asociados con los eventos. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3103413%40tickera-event-ticketing-system&new=3103413%40tickera-event-ticketing-system&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/d86aa41c-24df-49ec-b273-7bb57addddde?source=cve • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35729 – WordPress Tickera – WordPress Event Ticketing plugin <= 3.5.2.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35729
Missing Authorization vulnerability in Tickera.This issue affects Tickera: from n/a through 3.5.2.6. Vulnerabilidad de autorización faltante en Tickera. Este problema afecta a Tickera: desde n/a hasta 3.5.2.6. The Tickera plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_ticket_preview() function in versions up to, and including, 3.5.2.6. This makes it possible for authenticated attackers, with contributor-level access and above, to generate ticket previews. • https://patchstack.com/database/vulnerability/tickera-event-ticketing-system/wordpress-tickera-wordpress-event-ticketing-plugin-3-5-2-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41861 – WordPress Restrict Plugin <= 2.2.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41861
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Restrict plugin <= 2.2.4 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada del complemento Restrict en versiones <= 2.2.4. The Restrict plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/restricted-content/wordpress-restrict-membership-site-content-and-user-access-restrictions-for-wordpress-plugin-2-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23726 – Tickera <= 3.5.1.0 - Cross-Site Request Forgery to Ticket Post Status Change
https://notcve.org/view.php?id=CVE-2023-23726
The Tickera plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1.0. This is due to missing nonce validation in the tc_get_ticket_type_instances function. This makes it possible for unauthenticated attackers to change a ticket post status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4549 – Tickera < 3.5.1.0 - Plugin Data Deletion via CSRF
https://notcve.org/view.php?id=CVE-2022-4549
The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. El complemento Tickera de WordPress anterior a 3.5.1.0 no tiene activada la verificación CSRF al actualizar sus configuraciones, lo que podría permitir a los atacantes hacer que un administrador que haya iniciado sesión las cambie mediante un ataque CSRF. The Tickera plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.9.9. This is due to missing nonce validation in the ~/includes/addons/delete-info/includes/admin-pages/settings-tickera_delete_info.php file. This makes it possible for unauthenticated attackers to delete the plugin's data and update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/06e1be38-fc1a-4799-a006-556b678ae701 • CWE-352: Cross-Site Request Forgery (CSRF) •