Event Tickets with Ticket Scanner CVE-2024-52427
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Server Side Include (SSI) Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.3.11.
AnalysisAI
Deserialization of untrusted data in the Vollstart Event Tickets with Ticket Scanner WordPress plugin (versions up to and including 2.3.11) enables Server-Side Include (SSI) Injection, allowing authenticated low-privilege attackers to execute arbitrary code with scope-changing impact across the affected WordPress instance. With an EPSS score of 12.22% (94th percentile) and CVSS 9.9, this represents a high-priority issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack and impacts WordPress sites running this plugin.
Technical ContextAI
The vulnerability stems from CWE-82 (Improper Neutralization of Script in Attributes of IMG Tags in a Web Page), which in this context manifests as Server-Side Include (SSI) Injection chained through unsafe deserialization of untrusted data. The Event Tickets with Ticket Scanner plugin (CPE: cpe:2.3:a:vollstart:event_tickets_with_ticket_scanner) is a WordPress extension used for event ticket management and QR/barcode scanning. The plugin deserializes attacker-controlled input without proper validation, and the deserialized content is subsequently rendered in a context where Server-Side Includes are processed, allowing injected SSI directives to be executed by the web server. This combination is particularly dangerous because deserialization gadget chains in WordPress plugins frequently lead to object instantiation abuses, while SSI injection enables direct server-side command execution depending on Apache/web server configuration.
RemediationAI
Upgrade the Event Tickets with Ticket Scanner plugin to a version newer than 2.3.11 once the vendor publishes a fix - at time of analysis, Patch available per vendor advisory but exact fixed version should be confirmed via the Patchstack advisory referenced by audit@patchstack.com. If immediate patching is not possible, deactivate and remove the plugin entirely, which is the most reliable mitigation given that both deserialization and SSI injection are at play. As compensating controls, restrict WordPress user registration and audit existing low-privilege accounts to reduce the pool of attackers who can meet the PR:L requirement; disable Server-Side Includes at the web server level (e.g., remove the Includes option from Apache directives or disable mod_include) to neutralize the SSI injection sink, with the trade-off that any legitimate SSI usage on the site will break; and deploy a WAF with rules detecting PHP object injection patterns and SSI directive strings in POST bodies, accepting that custom serialization formats may evade generic signatures.
Same technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today