Skip to main content

Event Tickets with Ticket Scanner CVE-2024-52427

CRITICAL
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (CWE-82)
2024-11-18 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Severity Changed
Apr 23, 2026 - 15:22 NVD
HIGH CRITICAL
CVSS changed
Apr 23, 2026 - 15:22 NVD
8.8 (HIGH) 9.9 (CRITICAL)
CVE Published
Nov 18, 2024 - 15:15 nvd
HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Server Side Include (SSI) Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.3.11.

AnalysisAI

Deserialization of untrusted data in the Vollstart Event Tickets with Ticket Scanner WordPress plugin (versions up to and including 2.3.11) enables Server-Side Include (SSI) Injection, allowing authenticated low-privilege attackers to execute arbitrary code with scope-changing impact across the affected WordPress instance. With an EPSS score of 12.22% (94th percentile) and CVSS 9.9, this represents a high-priority issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack and impacts WordPress sites running this plugin.

Technical ContextAI

The vulnerability stems from CWE-82 (Improper Neutralization of Script in Attributes of IMG Tags in a Web Page), which in this context manifests as Server-Side Include (SSI) Injection chained through unsafe deserialization of untrusted data. The Event Tickets with Ticket Scanner plugin (CPE: cpe:2.3:a:vollstart:event_tickets_with_ticket_scanner) is a WordPress extension used for event ticket management and QR/barcode scanning. The plugin deserializes attacker-controlled input without proper validation, and the deserialized content is subsequently rendered in a context where Server-Side Includes are processed, allowing injected SSI directives to be executed by the web server. This combination is particularly dangerous because deserialization gadget chains in WordPress plugins frequently lead to object instantiation abuses, while SSI injection enables direct server-side command execution depending on Apache/web server configuration.

RemediationAI

Upgrade the Event Tickets with Ticket Scanner plugin to a version newer than 2.3.11 once the vendor publishes a fix - at time of analysis, Patch available per vendor advisory but exact fixed version should be confirmed via the Patchstack advisory referenced by audit@patchstack.com. If immediate patching is not possible, deactivate and remove the plugin entirely, which is the most reliable mitigation given that both deserialization and SSI injection are at play. As compensating controls, restrict WordPress user registration and audit existing low-privilege accounts to reduce the pool of attackers who can meet the PR:L requirement; disable Server-Side Includes at the web server level (e.g., remove the Includes option from Apache directives or disable mod_include) to neutralize the SSI injection sink, with the trade-off that any legitimate SSI usage on the site will break; and deploy a WAF with rules detecting PHP object injection patterns and SSI directive strings in POST bodies, accepting that custom serialization formats may evade generic signatures.

Share

CVE-2024-52427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy