CVE-2024-5860

MEDIUM

Tickera < 3.5.2.9 - Authenticated Unauthorized Data Deletion via tc_dl_delete_tickets AJAX Action

Title source: llm

Description

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3103413%40tickera-event-ticketing-system&new=3103413%40tickera-event-ticketing-system&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d86aa41c-24df-49ec-b273-7bb57addddde?source=cve

Scores

CVSS v3 4.3

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862 CWE-863

Status published

Products (2)

tickera/tickera < 3.5.2.9

tickera/Tickera – Sell Tickets & Manage Events < 3.5.2.8

Published Jun 18, 2024

Tracked Since Feb 18, 2026