Skip to main content

Tickera Plugin CVE-2026-13754

| EUVDEUVD-2026-44887 MEDIUM
SQL Injection (CWE-89)
2026-07-16 Wordfence GHSA-6352-h8x4-fmq7
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible search input exploitable by any custom-level authenticated user; read-only SQL injection yields high confidentiality loss with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:05 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
MEDIUM 6.5

DescriptionNVD

The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 3.6.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Tickera custom-level WordPress account
Delivery
Access better-attendees-and-tickets search endpoint
Exploit
Inject SQL payload in 's' parameter
Execution
Bypass query sanitization via string concatenation
Impact
Exfiltrate sensitive WordPress database contents

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum a Tickera 'custom-level' role - a role granted by the Tickera plugin itself, not a default WordPress role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N reflects a network-accessible flaw requiring only low-level authenticated access (custom-level WordPress role) with no attack complexity, yielding high database confidentiality exposure but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a Tickera custom-level WordPress account - such as a registered event attendee or a low-privilege staff account - submits a crafted search request to the better-attendees-and-tickets addon with SQL injection payloads embedded in the 's' parameter, causing the backend query to return or exfiltrate data from arbitrary WordPress database tables, including wp_users password hashes and personal data. No public exploit code has been identified, but the unsanitized string concatenation pattern makes manual exploitation straightforward for any attacker familiar with MySQL UNION-based or error-based injection techniques.
Remediation A patch changeset has been committed to the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3605637%40tickera-event-ticketing-system&new=3605637%40tickera-event-ticketing-system); however, an exact released patched version number is not independently confirmed from the available input data - the fix should be treated as upstream fix available (commit/changeset), released patched version not independently verified. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy