cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forevent-tickets event-tickets

Direction: ascending
Jun 07, 2024

Event Tickets and Registration # CVE-2024-1316

CVE, Research URL

CVE-2024-1316

Date
Mar 05, 2024
Research Description
The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
Affected versions
max 5.8.1.
Status
vulnerable

Event Tickets and Registration # CVE-2024-1053

CVE, Research URL

CVE-2024-1053

Date
Feb 22, 2024
Research Description
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.
Affected versions
max 5.8.2.
Status
vulnerable

Event Tickets and Registration # CVE-2021-25028

CVE, Research URL

CVE-2021-25028

Date
Jan 24, 2022
Research Description
The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
Affected versions
max 5.3.0.1.
Status
vulnerable

Event Tickets and Registration # CVE-2019-16120

CVE, Research URL

CVE-2019-16120

Date
Sep 09, 2019
Research Description
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
Affected versions
max 4.10.7.2.
Status
vulnerable

Event Tickets and Registration # CVE-2024-2261

CVE, Research URL

CVE-2024-2261

Date
Apr 10, 2024
Research Description
The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses.
Affected versions
max 5.8.3.
Status
vulnerable
Jul 16, 2024

Event Tickets and Registration # CVE-2024-38762

CVE, Research URL

CVE-2024-38762

Date
Jan 02, 2025
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in StellarWP Event Tickets event-tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through <= 5.11.0.4.
Affected versions
max 5.11.0.5.
Status
vulnerable
Nov 14, 2024

Event Tickets and Registration # CVE-2022-4974

CVE, Research URL

CVE-2022-4974

Date
Oct 16, 2024
Research Description
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 5.3.0.1.
Status
vulnerable
Jan 31, 2025

Event Tickets and Registration # CVE-2024-13457

CVE, Research URL

CVE-2024-13457

Date
Jan 30, 2025
Research Description
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.
Affected versions
max 5.18.1.1.
Status
vulnerable
Feb 24, 2025

Event Tickets and Registration # CVE-2025-1402

CVE, Research URL

CVE-2025-1402

Date
Feb 21, 2025
Research Description
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
Affected versions
max 5.19.1.2.
Status
vulnerable
Apr 03, 2025

Event Tickets and Registration # CVE-2025-30794

CVE, Research URL

CVE-2025-30794

Date
Apr 01, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Event Tickets event-tickets allows Reflected XSS.This issue affects Event Tickets: from n/a through <= 5.20.0.
Affected versions
max 5.20.1.
Status
vulnerable
Dec 11, 2025

Event Tickets and Registration # CVE-2025-11517

CVE, Research URL

CVE-2025-11517

Date
Oct 18, 2025
Research Description
The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Affected versions
max 5.26.6.
Status
vulnerable

Event Tickets and Registration # CVE-2025-62027

CVE, Research URL

CVE-2025-62027

Date
Oct 22, 2025
Research Description
Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3.
Affected versions
max 5.26.4.
Status
vulnerable
May 05, 2026

Event Tickets and Registration # CVE-2026-42662

CVE, Research URL

CVE-2026-42662

Date
Jun 16, 2026
Research Description
Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.
Affected versions
max 5.27.6.1.
Status
vulnerable
Jun 14, 2026

Event Tickets and Registration # CVE-2023-33999

CVE, Research URL

CVE-2023-33999

Date
Jun 11, 2026
Research Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions
max 5.6.0.
Status
vulnerable
Jun 16, 2026

Event Tickets and Registration # 6d8910c719b2a132ec93828cd37e418b19cac960

Date
Mar 04, 2022
Research Description
Event Tickets and Registration [event-tickets] < 5.3.0.1 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 5.3.0.1.
Status
vulnerable

Event Tickets and Registration # 0148408e7b7f46e805c78044455e5d50e91f34e1

Date
Feb 28, 2022
Research Description
Event Tickets and Registration [event-tickets] < 5.3.0.1 WordPress Event Tickets plugin < 5.3.0.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Event Tickets plugin (versions < 5.3.0.1).
Affected versions
max 5.3.0.1.
Status
vulnerable

Event Tickets and Registration # 50817cc68fb1c94552c384e07369638ba92631d8

Date
Feb 28, 2022
Research Description
Event Tickets and Registration [event-tickets] < 5.3.0.1 WordPress Event Tickets plugin < 5.3.0.1 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Event Tickets plugin (versions < 5.3.0.1).
Affected versions
max 5.3.0.1.
Status
vulnerable

Event Tickets and Registration # 577d6d7e81595f852a3f8cbc3e48a79ed7c3120d

Date
Sep 03, 2019
Research Description
Event Tickets and Registration [event-tickets] < 4.10.7.2 WordPress Event Tickets plugin <= 4.10.7.1 - CSV Injection vulnerability CSV Injection vulnerability found by MTK in WordPress Event Tickets plugin (versions <= 4.10.7.1).
Affected versions
max 4.10.7.2.
Status
vulnerable
Jul 14, 2026

Event Tickets and Registration # CVE-2026-57705

CVE, Research URL

CVE-2026-57705

Date
Jul 13, 2026
Research Description
Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5.
Affected versions
max 5.28.5.1.
Status
vulnerable