CVE-2024-5860

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events.
Configurations

Configuration 1 (hide)

cpe:2.3:a:tickera:tickera:*:*:*:*:*:wordpress:*:*

History

05 Jul 2024, 13:52

Type Values Removed Values Added
CWE CWE-863
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3103413%40tickera-event-ticketing-system&new=3103413%40tickera-event-ticketing-system&sfp_email=&sfph_mail= - () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3103413%40tickera-event-ticketing-system&new=3103413%40tickera-event-ticketing-system&sfp_email=&sfph_mail= - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d86aa41c-24df-49ec-b273-7bb57addddde?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/d86aa41c-24df-49ec-b273-7bb57addddde?source=cve - Third Party Advisory
First Time Tickera tickera
Tickera
CPE cpe:2.3:a:tickera:tickera:*:*:*:*:*:wordpress:*:*

20 Jun 2024, 12:44

Type Values Removed Values Added
Summary
  • (es) El complemento Tickera – WordPress Event Ticketing para WordPress es vulnerable a la pérdida no autorizada de datos debido a una falta de verificación de capacidad en la acción tc_dl_delete_tickets AJAX en todas las versiones hasta la 3.5.2.8 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todos los tickets asociados con los eventos.

18 Jun 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-18 04:15

Updated : 2024-07-05 13:52


NVD link : CVE-2024-5860

Mitre link : CVE-2024-5860

CVE.ORG link : CVE-2024-5860


JSON object : View

Products Affected

tickera

  • tickera
CWE
CWE-863

Incorrect Authorization