CVE-2025-12356
Received Received - Intake

Unauthorized Data Modification in Tickera Plugin via Missing Capability Check

Vulnerability report for CVE-2025-12356, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-07-06
AI Q&A
2026-02-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
tickera tickera to 3.5.6.4 (inc)
tickera tickera 3.5.6.5
tickera tickera 3.5.6.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the Tickera – Sell Tickets & Manage Events plugin for WordPress is due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to and including 3.5.6.4.

This flaw allows authenticated attackers with Subscriber-level access or higher to modify post or event statuses without proper authorization.

Essentially, the plugin did not properly verify if the user had the right permissions before allowing changes to ticket or event statuses, leading to unauthorized data modification.

Impact Analysis

This vulnerability can allow attackers with low-level authenticated access (Subscriber or above) to change the status of posts or events, potentially disrupting event management and ticket sales.

Such unauthorized modifications could lead to incorrect event statuses being displayed, manipulation of ticket availability, or other data integrity issues within the event management system.

While it does not directly impact confidentiality or availability, it poses an integrity risk by allowing unauthorized changes to event data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized modification of data via the 'wp_ajax_change_ticket_status' AJAX endpoint in the Tickera WordPress plugin. Detection would involve monitoring AJAX requests to this endpoint for unauthorized or suspicious activity, especially from users with Subscriber-level access or above."}, {'type': 'paragraph', 'content': "Specific commands are not provided in the available resources. However, general detection methods could include inspecting web server logs for POST requests to the 'wp-admin/admin-ajax.php' endpoint with the action parameter set to 'change_ticket_status', and verifying the user roles associated with those requests."}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the Tickera plugin to version 3.5.6.5 or later, where the vulnerability has been patched.'}, {'type': 'list_item', 'content': "Apply the security patch that enforces proper capability checks such as `current_user_can('manage_options')` or `current_user_can('manage_events_cap')` before processing AJAX requests."}, {'type': 'list_item', 'content': "Ensure nonce verification is enabled on AJAX endpoints using `check_ajax_referer('tc_ajax_nonce', 'nonce')` to protect against CSRF attacks."}, {'type': 'list_item', 'content': 'Sanitize and escape all user inputs and outputs to prevent injection attacks.'}, {'type': 'paragraph', 'content': 'These steps collectively strengthen access control and input validation, mitigating the risk of unauthorized data modification.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart