Skip to main content

Tickera WordPress Plugin CVE-2026-13755

| EUVDEUVD-2026-44894 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-r4f4-cp69-p8vr
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L for required contributor access; UI:R because payload detonation requires the victim to have previously added the specific ticket to their cart, constituting a prerequisite user action; S:C for victim browser scope change.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:08 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful execution of the injected script is limited to victims who have the referenced ticket ID present in their cart cookie, meaning the payload only fires for users who have previously added that ticket to their cart.

AnalysisAI

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor WordPress account
Delivery
Author post with malicious price_wrapper shortcode payload
Exploit
Publish post to site
Execution
Victim adds target ticket to cart
Persist
Victim navigates to injected page
Impact
Stored script executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with contributor-level privileges or higher - unauthenticated attackers cannot inject the malicious shortcode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects the network-reachable stored XSS with scope change to victim browsers, but the UI:N designation may overstate risk slightly - the cart cookie prerequisite effectively introduces a victim-side condition analogous to user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a contributor-level WordPress account (obtained via account creation, credential theft, or insider access) authors a post embedding the price_wrapper shortcode with a JavaScript payload in one of its attributes, such as a crafted class or data parameter. The post is published and indexed; when a site visitor who had previously added the targeted ticket to their cart navigates to that page, their browser fetches the stored page and executes the injected script - potentially stealing session cookies, redirecting the user to a phishing page, or performing actions on their behalf. …
Remediation A code changeset has been committed to the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3605637%40tickera-event-ticketing-system&new=3605637%40tickera-event-ticketing-system), indicating an upstream fix is available; however, the specific patched release version number is not confirmed by the available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy