CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2024-38762 – Event Tickets <= 5.11.0.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-38762
The Event Tickets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.11.0.4. This is due to missing or incorrect nonce validation on the handle_action_disconnect() function. This makes it possible for unauthenticated attackers to disconnect a merchant via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25028 – Event Tickets < 5.2.2 - Open Redirect
https://notcve.org/view.php?id=CVE-2021-25028
The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue El plugin Event Tickets de WordPress versiones anteriores a 5.2.2, no comprueba el parámetro tribe_tickets_redirect_to antes de redirigir al usuario al valor dado, conllevando a un problema de redireccionamiento arbitrario • https://wpscan.com/vulnerability/80b0682e-2c3b-441b-9628-6462368e5fc7 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 1CVE-2019-16120 – Event Tickets <= 4.10.7.1 - CSV Injection
https://notcve.org/view.php?id=CVE-2019-16120
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. La inyección de CSV en el plugin de tickets de evento (Event TIckets) antes de 4.10.7.2 para WordPress existe a través de la función Exportar asistentes "Todas las publicaciones> Entradas con tickets> Asistentes". • https://wordpress.org/plugins/event-tickets/#developers https://wpvulndb.com/vulnerabilities/9858 https://www.exploit-db.com/exploits/47335 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •