{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67939", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:06.383Z", "datePublished": "2026-01-22T16:51:53.120Z", "dateUpdated": "2026-04-28T16:14:24.312Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "tickera-event-ticketing-system", "product": "Tickera", "vendor": "Tickera", "versions": [{"changes": [{"at": "3.5.6.3", "status": "unaffected"}], "lessThanOrEqual": "3.5.6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:26.205Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Tickera: from n/a through <= 3.5.6.2.</p>"}], "value": "Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.312Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Tickera plugin <= 3.5.6.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T19:05:52.691571Z", "id": "CVE-2025-67939", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:06:05.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67939", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T19:05:52.691571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:05:10.437Z"}}], "cna": {"title": "WordPress Tickera plugin <= 3.5.6.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tickera", "product": "Tickera", "versions": [{"status": "affected", "changes": [{"at": "3.5.6.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.5.6.2"}], "packageName": "tickera-event-ticketing-system", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:26.205Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Tickera: from n/a through <= 3.5.6.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.215Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67939", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:06:05.796Z", "dateReserved": "2025-12-15T10:00:06.383Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:53.120Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Tickera Tickera tickera-event-ticketing-system permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Tickera: desde n/a hasta &lt;= 3.5.6.2."}], "id": "CVE-2025-67939", "lastModified": "2026-04-27T18:16:50.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:02.707", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:11:59.315353+00:00", "value": {"mitigation_remediation": ["Upgrade the Tickera plugin to the latest available version to eliminate the missing authorization flaw.", "If an immediate upgrade is not possible, restrict the plugin\u2019s operational scope by adjusting WordPress role permissions so that only trusted users can access Tickera administrative pages.", "Monitor WordPress logs for abnormal ticketing actions and investigate any unauthorized access attempts."], "summary": {"action": "Apply Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of the Tickera plugin version 3.5.6.2 and older. The vendor identified is Tickera, and no further sub\u2011versions are listed. Customers running WordPress with the Tickera event ticketing system should check if their plugin version is within the vulnerable range.", "description_and_impact": "This vulnerability is a missing authorization flaw in Tickera\u2019s event ticketing plugin for WordPress. The flaw is caused by incorrectly configured access control checks that allow users who should not have certain privileges to access protected actions or data. An attacker could therefore view, modify, or delete ticket information, event details, or potentially gain administrative capabilities within the plugin. The weakness is classified as CWE-862: Broken Access Control.", "risk_and_exploitability": "The CVSS score of 6.5 places this vulnerability in the medium severity range, indicating that while exploitation does not provide immediate remote code execution, it can still expose sensitive content or alter event data. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, yet the presence of the flaw means it could be used by a determined attacker. The vulnerability is not listed in CISA KEV, so there is no known large\u2011scale exploitation campaign. Inferred from the description, the likely attack vector is via authenticated users, but anyone who can send arbitrary requests to the plugin endpoints could take advantage of the missing authorization checks."}}}}, "created": "2026-01-23T16:31:18.224042+00:00", "updated": "2026-04-28T18:15:37.369951+00:00", "vendors": ["tickera", "tickera$PRODUCT$tickera", "wordpress", "wordpress$PRODUCT$wordpress"]}