Tickera < 3.5.2.5 – Ticket leakage through IDOR | CVE 2023-7252 | Plugin Vulnerabilities

Description

The plugin does not prevent users from leaking other users' tickets.

Proof of Concept

After a user has bought a ticket, an example of a ticket would look like

https://www.website.com/?download_ticket=1&order_key=1234567890&download_ticket_nonce=ab903b7c71, but due to missing validation, the URL can be shortened to https://www.website.com/?download_ticket=1&order_key=1234567890.

This allows an attacker to take the ID value from another purchase in the download_ticket parameter and iterate through the order_key parameter from 00000000 to 99999999 and steal tickets from other participants

Affects Plugins

tickera-event-ticketing-system

Fixed in 3.5.2.5

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

Miscellaneous

Original Researcher

Martin Thirup Christensen

Submitter

Martin Thirup Christensen

Submitter twitter

Verified

Yes

WPVDB ID

c452c5da-05a6-4a14-994d-e5049996d496

Timeline

Publicly Published

2024-04-01 (about 1 months ago)

Added

2024-04-01 (about 1 months ago)

Last Updated

2024-04-01 (about 1 months ago)

Other

Published

Title

Published

2024-04-19

Title

VikBooking < 1.6.8 - Insecure Direct Object References

Published

2021-09-22

Title

WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

Published

2023-04-10

Title

Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access

Published

2023-10-09

Title

WordPress File Sharing Plugin < 2.0.5 - Subscriber+ Sensitive Data and Files Exposure via IDOR

Published

2023-12-29

Title

WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR