CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10263 – Tickera – WordPress Event Ticketing <= 3.5.4.4 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-10263
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/changeset/3179272/tickera-event-ticketing-system https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5e9249-9705-4cfa-9c8e-2e002190562b?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5860 – Tickera <= 3.5.2.8 - Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion
https://notcve.org/view.php?id=CVE-2024-5860
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events. El complemento Tickera – WordPress Event Ticketing para WordPress es vulnerable a la pérdida no autorizada de datos debido a una falta de verificación de capacidad en la acción tc_dl_delete_tickets AJAX en todas las versiones hasta la 3.5.2.8 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todos los tickets asociados con los eventos. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3103413%40tickera-event-ticketing-system&new=3103413%40tickera-event-ticketing-system&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/d86aa41c-24df-49ec-b273-7bb57addddde?source=cve • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35729 – WordPress Tickera – WordPress Event Ticketing plugin <= 3.5.2.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35729
Missing Authorization vulnerability in Tickera.This issue affects Tickera: from n/a through 3.5.2.6. Vulnerabilidad de autorización faltante en Tickera. Este problema afecta a Tickera: desde n/a hasta 3.5.2.6. The Tickera plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_ticket_preview() function in versions up to, and including, 3.5.2.6. This makes it possible for authenticated attackers, with contributor-level access and above, to generate ticket previews. • https://patchstack.com/database/vulnerability/tickera-event-ticketing-system/wordpress-tickera-wordpress-event-ticketing-plugin-3-5-2-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41861 – WordPress Restrict Plugin <= 2.2.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41861
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Restrict plugin <= 2.2.4 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada del complemento Restrict en versiones <= 2.2.4. The Restrict plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/restricted-content/wordpress-restrict-membership-site-content-and-user-access-restrictions-for-wordpress-plugin-2-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23726 – Tickera <= 3.5.1.0 - Cross-Site Request Forgery to Ticket Post Status Change
https://notcve.org/view.php?id=CVE-2023-23726
The Tickera plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1.0. This is due to missing nonce validation in the tc_get_ticket_type_instances function. This makes it possible for unauthenticated attackers to change a ticket post status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •