CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13457: Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure

5.3 CVSS

Description

The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.

Classification

CVE ID: CVE-2024-13457

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor: theeventscalendar

Product: Event Tickets and Registration

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 19.76% (scored less or equal to compared to others)

EPSS Date: 2025-02-28 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/0cc2261a-889e-40ec-8382-48de65b91b34?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3229935%40event-tickets%2Ftags%2F5.18.1.1&old=3227011%40event-tickets%2Ftags%2F5.18.1

Timeline

2025-01-31 00:30:15 UTC
CVE

Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure