Vulnerabilities and security researches forevent-tickets event-tickets

Jun 07, 2024

CVE, Research URL: CVE-2024-1316
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Mar 05, 2024
Research Description: The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-1053
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Feb 22, 2024
Research Description: The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-25028
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Jan 24, 2022
Research Description: The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-16120
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Sep 09, 2019
Research Description: CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-2261
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Apr 10, 2024
Research Description: The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses.
Affected versions: Min -, max -.
Status: vulnerable

Jul 16, 2024

CVE, Research URL: CVE-2024-38762
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Jan 02, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar Event Tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through 5.11.0.4.
Affected versions: Min -, max -.
Status: vulnerable

Nov 14, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: Min -, max -.
Status: vulnerable

Jan 31, 2025

CVE, Research URL: CVE-2024-13457
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Jan 30, 2025
Research Description: The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.
Affected versions: Min -, max -.
Status: vulnerable

Feb 24, 2025

CVE, Research URL: CVE-2025-1402
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Feb 21, 2025
Research Description: The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
Affected versions: Min -, max -.
Status: vulnerable

Apr 03, 2025

CVE, Research URL: CVE-2025-30794
Home page URL: Security reports for Event Tickets and Registration
Application: Event Tickets and Registration
Date: Apr 01, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Events Calendar Event Tickets allows Reflected XSS. This issue affects Event Tickets: from n/a through 5.20.0.
Affected versions: Min -, max -.
Status: vulnerable