Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Tickera Plugin Allows Attackers to Change Event Status
CVE-2025-12356
Summary
The Tickera plugin for WordPress doesn't properly check who can change event statuses. This means a hacker with a subscriber-level account or higher can change event statuses without permission. Update the plugin to the latest version to fix this issue.
Original title
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpo...
Original description
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026