CVE-2024-13457

Name of the Vulnerable Software and Affected Versions Event Tickets and Registration plugin for WordPress versions up to, and including, 5.18.1

Description The issue allows unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails, and order date, due to missing validation on a user-controlled key via the tc-order-id parameter. This makes it possible for attackers to access sensitive information without proper authorization.

Recommendations For versions up to, and including, 5.18.1, update to a version later than 5.18.1 to resolve the issue. As a temporary workaround, consider restricting access to the tc-order-id parameter to minimize the risk of exploitation.