Search Results (13 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13755 2 Tickera, Wordpress 2 Tickera – Sell Tickets & Manage Events, Wordpress 2026-07-16 6.4 Medium
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful execution of the injected script is limited to victims who have the referenced ticket ID present in their cart cookie, meaning the payload only fires for users who have previously added that ticket to their cart.
CVE-2026-13754 2 Tickera, Wordpress 2 Tickera – Sell Tickets & Manage Events, Wordpress 2026-07-16 6.5 Medium
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 3.6.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2023-23726 2 Tickera, Wordpress 2 Tickera, Wordpress 2026-04-28 5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Tickera.com Tickera allows Cross Site Request Forgery.This issue affects Tickera: from n/a through 3.5.1.0.
CVE-2025-69355 2 Tickera, Wordpress 2 Tickera, Wordpress 2026-04-24 4.3 Medium
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4.
CVE-2025-67939 2 Tickera, Wordpress 2 Tickera, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2.
CVE-2025-58611 2 Tickera, Wordpress 2 Tickera, Wordpress 2026-04-23 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Tickera Tickera tickera-event-ticketing-system allows Cross Site Request Forgery.This issue affects Tickera: from n/a through <= 3.5.5.6.
CVE-2024-35729 1 Tickera 1 Tickera 2026-04-23 5.3 Medium
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.2.6.
CVE-2025-12356 2 Tickera, Wordpress 2 Tickera – Sell Tickets & Manage Events, Wordpress 2026-04-22 4.3 Medium
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.
CVE-2024-5860 1 Tickera 1 Tickera 2026-04-08 4.3 Medium
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events.
CVE-2024-10263 1 Tickera 1 Tickera 2026-04-08 7.3 High
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2023-7252 1 Tickera 1 Tickera 2025-05-30 5.3 Medium
The Tickera WordPress plugin before 3.5.2.5 does not prevent users from leaking other users' tickets.
CVE-2022-4549 1 Tickera 1 Tickera 2025-04-04 4.3 Medium
The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
CVE-2021-24797 1 Tickera 1 Tickera 2024-11-21 6.1 Medium
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.