Vulnerabilities and security researches forevent-tickets event-tickets
Direction: ascendingJun 07, 2024
Event Tickets and Registration # CVE-2024-1316
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 05, 2024
- Research Description
- The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
- Affected versions
-
max 5.8.1.
- Status
-
vulnerable
Event Tickets and Registration # CVE-2024-1053
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 22, 2024
- Research Description
- The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.
- Affected versions
-
max 5.8.2.
- Status
-
vulnerable
Event Tickets and Registration # CVE-2021-25028
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 24, 2022
- Research Description
- The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
- Affected versions
-
max 5.3.0.1.
- Status
-
vulnerable
Event Tickets and Registration # CVE-2019-16120
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 09, 2019
- Research Description
- CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
- Affected versions
-
max 4.10.7.2.
- Status
-
vulnerable
Event Tickets and Registration # CVE-2024-2261
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 10, 2024
- Research Description
- The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses.
- Affected versions
-
max 5.8.3.
- Status
-
vulnerable
Jul 16, 2024
Event Tickets and Registration # CVE-2024-38762
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 02, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in StellarWP Event Tickets event-tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through <= 5.11.0.4.
- Affected versions
-
max 5.11.0.5.
- Status
-
vulnerable
Nov 14, 2024
Event Tickets and Registration # CVE-2022-4974
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 5.3.0.1.
- Status
-
vulnerable
Jan 31, 2025
Event Tickets and Registration # CVE-2024-13457
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 30, 2025
- Research Description
- The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.
- Affected versions
-
max 5.18.1.1.
- Status
-
vulnerable
Feb 24, 2025
Event Tickets and Registration # CVE-2025-1402
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 21, 2025
- Research Description
- The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
- Affected versions
-
max 5.19.1.2.
- Status
-
vulnerable
Apr 03, 2025
Event Tickets and Registration # CVE-2025-30794
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 01, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Event Tickets event-tickets allows Reflected XSS.This issue affects Event Tickets: from n/a through <= 5.20.0.
- Affected versions
-
max 5.20.1.
- Status
-
vulnerable
Dec 11, 2025
Event Tickets and Registration # CVE-2025-11517
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 18, 2025
- Research Description
- The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
- Affected versions
-
max 5.26.6.
- Status
-
vulnerable
Event Tickets and Registration # CVE-2025-62027
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 22, 2025
- Research Description
- Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3.
- Affected versions
-
max 5.26.4.
- Status
-
vulnerable
May 05, 2026
Event Tickets and Registration # CVE-2026-42662
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 16, 2026
- Research Description
- Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.
- Affected versions
-
max 5.27.6.1.
- Status
-
vulnerable
Jun 14, 2026
Event Tickets and Registration # CVE-2023-33999
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 11, 2026
- Research Description
- Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
- Affected versions
-
max 5.6.0.
- Status
-
vulnerable
Jun 16, 2026
Event Tickets and Registration # 6d8910c719b2a132ec93828cd37e418b19cac960
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 04, 2022
- Research Description
- Event Tickets and Registration [event-tickets] < 5.3.0.1 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 5.3.0.1.
- Status
-
vulnerable
Event Tickets and Registration # 0148408e7b7f46e805c78044455e5d50e91f34e1
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 28, 2022
- Research Description
- Event Tickets and Registration [event-tickets] < 5.3.0.1 WordPress Event Tickets plugin < 5.3.0.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Event Tickets plugin (versions < 5.3.0.1).
- Affected versions
-
max 5.3.0.1.
- Status
-
vulnerable
Event Tickets and Registration # 50817cc68fb1c94552c384e07369638ba92631d8
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 28, 2022
- Research Description
- Event Tickets and Registration [event-tickets] < 5.3.0.1 WordPress Event Tickets plugin < 5.3.0.1 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Event Tickets plugin (versions < 5.3.0.1).
- Affected versions
-
max 5.3.0.1.
- Status
-
vulnerable
Event Tickets and Registration # 577d6d7e81595f852a3f8cbc3e48a79ed7c3120d
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 03, 2019
- Research Description
- Event Tickets and Registration [event-tickets] < 4.10.7.2 WordPress Event Tickets plugin <= 4.10.7.1 - CSV Injection vulnerability CSV Injection vulnerability found by MTK in WordPress Event Tickets plugin (versions <= 4.10.7.1).
- Affected versions
-
max 4.10.7.2.
- Status
-
vulnerable
Jul 14, 2026
Event Tickets and Registration # CVE-2026-57705
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 13, 2026
- Research Description
- Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5.
- Affected versions
-
max 5.28.5.1.
- Status
-
vulnerable