The vulnerability is a CSRF flaw in the Tickera event ticketing system plugin for WordPress, allowing an attacker to submit forged requests to the plugin’s endpoints. The description states that the plugin can process these requests without proper validation, implying that it does not check request authenticity or origin. When exploited, an attacker could force the site to perform unintended actions that the plugin permits, such as creating or modifying events, issuing tickets, or altering plugin settings, potentially compromising the integrity of the site’s event data.

WordPress installations that use the Tickera plugin version 3.5.5.6 or earlier are affected. The issue is confined to the plugin itself; it does not depend on particular WordPress core versions. Site administrators using these releases should review their plugin version and upgrade if possible.

The CVSS score of 4.3 indicates a moderate impact, focusing on unintended state changes rather than code execution. The EPSS score is less than 1 %, suggesting that active exploitation is currently unlikely but remains a possibility. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the flaw by causing a user to load a malicious page that automatically submits a forged request to the Tickera endpoint, provided the user has an active authenticated session or the endpoint is not protected by a nonce or token mechanism.