The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
El complemento Tickera de WordPress anterior a 3.5.1.0 no tiene activada la verificación CSRF al actualizar sus configuraciones, lo que podría permitir a los atacantes hacer que un administrador que haya iniciado sesión las cambie mediante un ataque CSRF.
The Tickera plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.9.9. This is due to missing nonce validation in the ~/includes/addons/delete-info/includes/admin-pages/settings-tickera_delete_info.php file. This makes it possible for unauthenticated attackers to delete the plugin's data and update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
