{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12356", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T15:39:42.084Z", "datePublished": "2026-02-18T05:29:18.934Z", "dateUpdated": "2026-04-08T17:30:26.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:26.492Z"}, "affected": [{"vendor": "tickera", "product": "Tickera \u2013 Sell Tickets & Manage Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.6.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tickera \u2013 Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses."}], "title": "Tickera \u2013 WordPress Event Ticketing <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7c08b1a-c73d-488c-96df-cf18acb460bb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tickera-event-ticketing-system/trunk/tickera.php#L3903"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422813"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-02-17T16:41:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:30:26.944758Z", "id": "CVE-2025-12356", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:30:37.165Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:30:26.944758Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:30:32.948Z"}}], "cna": {"title": "Tickera \u2013 WordPress Event Ticketing <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "tickera", "product": "Tickera \u2013 Sell Tickets & Manage Events", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.6.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-17T16:41:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7c08b1a-c73d-488c-96df-cf18acb460bb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tickera-event-ticketing-system/trunk/tickera.php#L3903"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422813"}], "descriptions": [{"lang": "en", "value": "The Tickera \u2013 Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:26.492Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12356", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:26.492Z", "dateReserved": "2025-10-27T15:39:42.084Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T05:29:18.934Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tickera \u2013 Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses."}, {"lang": "es", "value": "El plugin Tickera \u2013 Sell Tickets &amp; Manage Events para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en el endpoint AJAX 'wp_ajax_change_ticket_status' en todas las versiones hasta la 3.5.6.4, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, actualicen estados de publicaciones/eventos."}], "id": "CVE-2025-12356", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:33.190", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tickera-event-ticketing-system/trunk/tickera.php#L3903"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3422813"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7c08b1a-c73d-488c-96df-cf18acb460bb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.6.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tickera \u2013 Sell Tickets & Manage Events", "source": "cna", "vendor": "tickera"}, "product": "tickera_\u2013_sell_tickets_&_manage_events", "vendor": "tickera"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T23:45:47.448709+00:00", "value": {"mitigation_remediation": ["Upgrade the Tickera plugin to a version newer than 3.5.6.4 that includes the missing authorization check.", "Remove or restrict the capability that allows status changes from users with the Subscriber role if they do not need it.", "Apply a security plugin or custom code that enforces proper capability checks for the wp_ajax_change_ticket_status endpoint."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of event/post status by authenticated subscribers"}, "threat_synthesis": {"affected_systems": "All versions of the Tickera plugin up to and including 3.5.6.4 are affected. Any WordPress site that installs one of these releases of the plugin is at risk. The flaw is isolated to the plugin and does not involve other WordPress components.", "description_and_impact": "The Tickera \u2013 Sell Tickets & Manage Events plugin for WordPress contains a missing capability check on the wp_ajax_change_ticket_status AJAX endpoint. This flaw allows authenticated users with Subscriber-level access to invoke the endpoint and update the status of events or posts. The vulnerability is classified as CWE\u2011862, Missing Authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low\u2011moderate risk level. The EPSS score of less than 1% suggests that exploitation is expected to be rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker be logged in as a Subscriber; the attacker can issue an Ajax request to the vulnerable endpoint, and the absence of a capability check allows the request to succeed."}}}}, "created": "2026-02-18T10:32:43.914507+00:00", "updated": "2026-04-22T00:00:03.929728+00:00", "vendors": ["tickera", "tickera$PRODUCT$tickera_\u2013_sell_tickets_&_manage_events", "wordpress", "wordpress$PRODUCT$wordpress"]}