CVE-2024-13457

Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure

CVSS 5.3 MEDIUMEPSS 0.3%CWE-284

The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Productos afectados

stellarwp · Event Tickets and Registration

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3229935%40event-tickets%2Ftags%2F5.18.1.1&old=3227011%40event-tickets%2Ftags%2F5.18.1 https://www.wordfence.com/threat-intel/vulnerabilities/id/0cc2261a-889e-40ec-8382-48de65b91b34?source=cve