Description
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of event/post status by authenticated subscribers
Action: Apply Patch
AI Analysis

Impact

The Tickera – Sell Tickets & Manage Events plugin for WordPress contains a missing capability check on the wp_ajax_change_ticket_status AJAX endpoint. This flaw allows authenticated users with Subscriber-level access to invoke the endpoint and update the status of events or posts. The vulnerability is classified as CWE‑862, Missing Authorization.

Affected Systems

All versions of the Tickera plugin up to and including 3.5.6.4 are affected. Any WordPress site that installs one of these releases of the plugin is at risk. The flaw is isolated to the plugin and does not involve other WordPress components.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑moderate risk level. The EPSS score of less than 1% suggests that exploitation is expected to be rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker be logged in as a Subscriber; the attacker can issue an Ajax request to the vulnerable endpoint, and the absence of a capability check allows the request to succeed.

Generated by OpenCVE AI on April 21, 2026 at 23:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tickera plugin to a version newer than 3.5.6.4 that includes the missing authorization check.
  • Remove or restrict the capability that allows status changes from users with the Subscriber role if they do not need it.
  • Apply a security plugin or custom code that enforces proper capability checks for the wp_ajax_change_ticket_status endpoint.

Generated by OpenCVE AI on April 21, 2026 at 23:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tickera
Tickera tickera – Sell Tickets & Manage Events
Wordpress
Wordpress wordpress
Vendors & Products Tickera
Tickera tickera – Sell Tickets & Manage Events
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.
Title Tickera – WordPress Event Ticketing <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Tickera Tickera – Sell Tickets & Manage Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:26.492Z

Reserved: 2025-10-27T15:39:42.084Z

Link: CVE-2025-12356

cve-icon Vulnrichment

Updated: 2026-02-18T20:30:32.948Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T06:16:33.190

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses