Event Tickets And Registration
Approved changes feed: RSS · Atom
cpe:2.3:a:stellarwp:event_tickets_and_registration:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Stellarwp (85cedc32-4162-5fac-82cb-4647b1b8e38d) |
|---|---|
| Product | Event Tickets And Registration (013db73f-24e6-5ec1-8325-2de7643a1932) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-1402 |
vulnerable | 2026-06-03 14:59:05.364684 |
Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion
MEDIUM (5.3)
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.
Published: 2025-02-21T11:09:34.845Z
Updated: 2026-04-08T17:27:39.770Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11517 |
vulnerable | 2026-06-03 14:58:42.543346 |
Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass
HIGH (7.5)
The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
Published: 2025-10-18T06:42:43.892Z
Updated: 2026-04-08T16:41:30.638Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2261 |
vulnerable | 2026-06-03 14:55:28.834427 |
Event Tickets and Registration <= 5.8.2 - Improper Authorization to Information Disclosure
MEDIUM (4.3)
The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses.
Published: 2024-04-09T18:58:41.029Z
Updated: 2026-04-08T16:44:21.773Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1053 |
vulnerable | 2026-06-03 14:54:26.045337 |
Event Tickets and Registration <= 5.8.1 - Missing Authorization
MEDIUM (4.3)
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.
Published: 2024-02-22T05:32:49.364Z
Updated: 2026-04-08T17:13:40.346Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13457 |
vulnerable | 2026-06-03 14:54:24.689106 |
Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure
MEDIUM (5.3)
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.
Published: 2025-01-30T06:41:07.956Z
Updated: 2026-04-08T16:35:10.449Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4974 |
vulnerable | 2026-06-03 14:48:44.300881 |
Freemius SDK <= 2.4.2 - Missing Authorization Checks
MEDIUM (6.3)
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Published: 2024-10-16T06:43:30.014Z
Updated: 2026-04-08T16:46:54.861Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.