Tickera < 3.4.8.3 – Unauthenticated Stored Cross-Site Scripting | CVE 2021-24797 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.

Proof of Concept

As unauthenticated, book an Event, and put the following payload in the Buyer Info First or Last Name: <svg/onload=alert(/XSS/)>

The XSS will be triggered when admin view the Orders page in the admin dashboard (/wp-admin/edit.php?post_type=tc_orders)

https://www.youtube.com/watch?v=AGs6WqI4VAg

Affects Plugins

tickera-event-ticketing-system

Fixed in 3.4.8.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ajit Bhatta

Submitter

Ajit Bhatta

Submitter twitter

Verified

Yes

WPVDB ID

0eb07cc8-8a19-4e01-ab90-844495413453

Timeline

Publicly Published

2021-11-23 (about 4 years ago)

Added

2021-11-23 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2021-07-30

Title

Custom Dashboard & Login Page - AGCA < 6.9.2 - Admin+ Stored Cross-Site Scripting

Published

2025-03-18

Title

RDP Linkedin Login <= 1.7.0 - Reflected Cross-Site Scripting

Published

2025-04-04

Title

Musician's Pack for Elementor <= 1.8.7 - Contributor+ Stored XSS

Published

2025-08-15

Title

Intl DateTime Calendar <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via date Parameter

Published

2024-07-11

Title

Qi Blocks < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting