CVE-2024-9866

Name of the Vulnerable Software and Affected Versions Event Tickets with Ticket Scanner plugin for WordPress versions prior to 2.4.4

Description The issue is related to Stored Cross-Site Scripting via the data parameters due to insufficient input sanitization and output escaping, as well as missing authorization on the functionality to manage tickets. This allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For versions prior to 2.4.1, consider disabling the functionality to manage tickets to minimize the risk of exploitation. For versions 2.4.1 to 2.4.3, restrict access to the data parameters in the affected functionality to minimize the risk of Cross-Site Scripting exploitation. For versions prior to 2.4.4, update to version 2.4.4 to fully patch the Stored Cross-Site Scripting vulnerability.