Event Tickets < 5.18.1.1 – Insecure Direct Object Reference to Sensitive Information Exposure | CVE 2024-13457 | Plugin Vulnerabilities

Description

The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.

Affects Plugins

Fixed in 5.18.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0cc2261a-889e-40ec-8382-48de65b91b34

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Whit Taylor

Verified

No

WPVDB ID

25a4c4c7-a0c6-405d-85bd-45cb05489e35

Timeline

Publicly Published

2025-01-29 (about 1 year ago)

Added

2025-01-29 (about 1 year ago)

Last Updated

2025-01-30 (about 1 year ago)

Other

Published

Title

Published

2021-04-06

Title

WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update

Published

2021-08-23

Title

OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion

Published

2024-04-03

Title

CGC Maintenance Mode <= 1.2 - Sensitive Information Exposure

Published

2020-09-05

Title

NextScripts: Social Networks Auto-Poster < 4.3.18 - Insufficient Privilege Validation

Published

2023-12-22

Title

easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update