Tickera < 3.5.2.5 – Ticket leakage through IDOR | CVE 2023-7252 | Plugin Vulnerabilities

Description

The plugin does not prevent users from leaking other users' tickets.

Proof of Concept

After a user has bought a ticket, an example of a ticket would look like

https://www.website.com/?download_ticket=1&order_key=1234567890&download_ticket_nonce=ab903b7c71, but due to missing validation, the URL can be shortened to https://www.website.com/?download_ticket=1&order_key=1234567890.

This allows an attacker to take the ID value from another purchase in the download_ticket parameter and iterate through the order_key parameter from 00000000 to 99999999 and steal tickets from other participants

Affects Plugins

tickera-event-ticketing-system

Fixed in 3.5.2.5

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Martin Thirup Christensen

Submitter

Martin Thirup Christensen

Submitter twitter

Verified

Yes

WPVDB ID

c452c5da-05a6-4a14-994d-e5049996d496

Timeline

Publicly Published

2024-04-01 (about 1 year ago)

Added

2024-04-01 (about 1 year ago)

Last Updated

2024-04-01 (about 1 year ago)

Other

Published

Title

Published

2024-03-18

Title

Permalink Manager < 2.4.3.2 - Missing Authorization to Authenticated(Author+) arbitrary post slug modification

Published

2023-08-01

Title

Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass

Published

2024-04-22

Title

Rate My Post – Star Rating Plugin by FeedbackWP < 3.4.5 - Insecure Direct Object Reference

Published

2024-11-27

Title

Restaurant & Cafe Addon for Elementor < 1.6.0 - Authenticated (Contributor+) Post Disclosure

Published

2025-11-24

Title

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure