CVE-2023-7252 – Tickera < 3.5.2.5 - Ticket leakage through IDOR

https://notcve.org/view.php?id=CVE-2023-7252

The Tickera WordPress plugin before 3.5.2.5 does not prevent users from leaking other users' tickets. El complemento Tickera WordPress anterior a 3.5.2.5 no impide que los usuarios filtren los tickets de otros usuarios. The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.5.2.4 via the order_key parameter due to missing validation on the user controlled key. This makes it possible for unauthenticated attackers to view other users tickets • https://wpscan.com/vulnerability/c452c5da-05a6-4a14-994d-e5049996d496 • CWE-639: Authorization Bypass Through User-Controlled Key •