CVE-2024-13457 – The Event Tickets and Registration WordPress pl... (How to Fix)

Q: What is the severity of CVE-2024-13457?

CVE-2024-13457 has a CVSS score of 5.3 (MEDIUM). The Event Tickets and Registration WordPress plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to view order details they shouldn't access. Attackers can see ticket prices, user emails, and order dates from other users' orders. All WordPress sites using this plugin up to version 5.18.1 are affected.

📋 TL;DR

The Event Tickets and Registration WordPress plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to view order details they shouldn't access. Attackers can see ticket prices, user emails, and order dates from other users' orders. All WordPress sites using this plugin up to version 5.18.1 are affected.

💻 Affected Systems

Products:

Event Tickets and Registration WordPress plugin

Versions: All versions up to and including 5.18.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using the vulnerable plugin versions, regardless of WordPress version or hosting environment.

📦 What is this software?

Event Tickets by Liquidweb

View all CVEs affecting Event Tickets →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data breach exposing all order information including user emails, ticket prices, and order dates, potentially leading to privacy violations, targeted phishing attacks, and business intelligence theft.

🟠

Likely Case

Unauthorized access to individual order details, exposing personal information of event attendees and potentially revealing pricing structures.

🟢

If Mitigated

Limited exposure if proper access controls and monitoring are in place, with only minimal data leakage before detection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires manipulating the tc-order-id parameter, which is straightforward for attackers with basic web testing knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.18.1.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3229935%40event-tickets%2Ftags%2F5.18.1.1&old=3227011%40event-tickets%2Ftags%2F5.18.1

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Event Tickets and Registration' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.18.1.1 from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate event-tickets

Web Application Firewall Rule

all

Block requests containing tc-order-id parameter manipulation

Add WAF rule to block or sanitize tc-order-id parameter

🧯 If You Can't Patch

Implement strict access controls and monitoring for order data endpoints
Deploy web application firewall with IDOR protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Event Tickets and Registration → Version number. If version is 5.18.1 or lower, you are vulnerable.

Check Version:

wp plugin get event-tickets --field=version

Verify Fix Applied:

After updating, verify plugin version shows 5.18.1.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to order endpoints
Multiple failed order ID attempts
Access to order IDs outside normal sequence

Network Indicators:

HTTP requests with manipulated tc-order-id parameters
Unusual traffic to /wp-content/plugins/event-tickets/ endpoints

SIEM Query:

source="web_logs" AND (uri_path="*event-tickets*" OR uri_path="*tc-order-id*") AND (status_code=200 OR status_code=403) | stats count by src_ip, uri_path

📊 Metadata

CVE ID: CVE-2024-13457

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.15% exploit probability (36.2th percentile)

Published: January 30, 2025

Last Updated: February 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13457, you might also want to check these: