Exploitation Summary
EIP tracks 1 public exploit for CVE-2019-16120. PoCs published by MTK.
AI-analyzed exploit summary This exploit demonstrates a CSV injection vulnerability in the WordPress Event Tickets plugin, allowing arbitrary command execution on a victim's system when they open a maliciously crafted CSV file exported from the plugin.
Description
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
Exploits (1)
exploitdb
WORKING POC
by MTK · textwebappsphp
https://www.exploit-db.com/exploits/47335
This exploit demonstrates a CSV injection vulnerability in the WordPress Event Tickets plugin, allowing arbitrary command execution on a victim's system when they open a maliciously crafted CSV file exported from the plugin.
Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target:
WordPress Plugin Event Tickets <= 4.10.7.1
Auth required
Prerequisites:
Access to RSVP ticket submission · WordPress admin access to export attendees list
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9858
Product, Release Notes x_refsource_misc
https://wordpress.org/plugins/event-tickets/#developers
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47335
Scores
CVSS v3
8.8
EPSS
0.0319
EPSS Percentile
86.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
liquidweb/event_tickets
< 4.10.7.2
Published
Sep 08, 2019
Tracked Since
Feb 18, 2026