Tickera Sell Tickets Manage Events
Monthly
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.