Event Tickets WordPress Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Event Tickets and Registration plugin for WordPress, affecting all versions through 5.18.1. The vulnerability arises from the tc-order-id parameter, which lacks proper validation, allowing unauthenticated attackers to access order details of other users. This includes sensitive information such as ticket prices, user emails, and order dates.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive order information, including ticket prices, purchaser emails, and order dates, for orders they did not place.

Reproduction

To reproduce this vulnerability, send a request to the order endpoint of the Event Tickets plugin, including a manipulated tc-order-id parameter. The absence of validation on this parameter will trigger the IDOR vulnerability, exposing order details of other users.

Remediation

Users are advised to update the Event Tickets and Registration plugin to version 5.18.1.1 or later.