This vulnerability is a missing authorization flaw in Tickera’s event ticketing plugin for WordPress. The flaw is caused by incorrectly configured access control checks that allow users who should not have certain privileges to access protected actions or data. An attacker could therefore view, modify, or delete ticket information, event details, or potentially gain administrative capabilities within the plugin. The weakness is classified as CWE-862: Broken Access Control.

The issue affects all installations of the Tickera plugin version 3.5.6.2 and older. The vendor identified is Tickera, and no further sub‑versions are listed. Customers running WordPress with the Tickera event ticketing system should check if their plugin version is within the vulnerable range.

The CVSS score of 6.5 places this vulnerability in the medium severity range, indicating that while exploitation does not provide immediate remote code execution, it can still expose sensitive content or alter event data. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, yet the presence of the flaw means it could be used by a determined attacker. The vulnerability is not listed in CISA KEV, so there is no known large‑scale exploitation campaign. Inferred from the description, the likely attack vector is via authenticated users, but anyone who can send arbitrary requests to the plugin endpoints could take advantage of the missing authorization checks.