Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible search input exploitable by any custom-level authenticated user; read-only SQL injection yields high confidentiality loss with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 3.6.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum a Tickera 'custom-level' role - a role granted by the Tickera plugin itself, not a default WordPress role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N reflects a network-accessible flaw requiring only low-level authenticated access (custom-level WordPress role) with no attack complexity, yielding high database confidentiality exposure but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a Tickera custom-level WordPress account - such as a registered event attendee or a low-privilege staff account - submits a crafted search request to the better-attendees-and-tickets addon with SQL injection payloads embedded in the 's' parameter, causing the backend query to return or exfiltrate data from arbitrary WordPress database tables, including wp_users password hashes and personal data. No public exploit code has been identified, but the unsanitized string concatenation pattern makes manual exploitation straightforward for any attacker familiar with MySQL UNION-based or error-based injection techniques. |
| Remediation | A patch changeset has been committed to the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3605637%40tickera-event-ticketing-system&new=3605637%40tickera-event-ticketing-system); however, an exact released patched version number is not independently confirmed from the available input data - the fix should be treated as upstream fix available (commit/changeset), released patched version not independently verified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44887
GHSA-6352-h8x4-fmq7