The vulnerability identified as CVE-2024-12578 affects the Tickera – WordPress Event Ticketing plugin, a widely used tool for managing event ticket sales on WordPress websites. The issue lies in the 'tickera_tickets_info' endpoint, which improperly exposes sensitive booking data to unauthenticated users. This endpoint leaks personally identifiable information (PII) including full names, email addresses, and timestamps related to check-in and check-out activities. The vulnerability is classified under CWE-200, indicating an exposure of sensitive information to unauthorized actors. It affects all versions up to and including 3.5.4.8. Exploitation requires no authentication or user interaction, making it accessible to any remote attacker with network access to the affected WordPress site. The CVSS v3.1 base score is 5.3, reflecting a medium severity primarily due to the confidentiality impact without affecting integrity or availability. No patches or fixes are currently linked, and no active exploits have been reported in the wild. The vulnerability poses a significant privacy risk, especially for organizations handling large volumes of event attendee data. Attackers could leverage this information for phishing, social engineering, or identity theft. The plugin’s popularity in event management amplifies the potential exposure across multiple sectors worldwide.

The primary impact of CVE-2024-12578 is the unauthorized disclosure of sensitive personal information, which can lead to privacy violations and regulatory non-compliance (e.g., GDPR, CCPA). Organizations using the Tickera plugin risk exposing attendee data, potentially damaging customer trust and brand reputation. While the vulnerability does not allow modification or disruption of services, the leaked data could be used for targeted phishing campaigns or identity fraud. Event organizers, ticket sellers, and venues relying on this plugin are particularly vulnerable. The widespread use of WordPress and Tickera in various industries, including entertainment, conferences, and sports, increases the scope of affected entities globally. The lack of authentication or user interaction needed for exploitation makes the vulnerability easier to abuse by attackers scanning for vulnerable endpoints. Although no known exploits are currently active, the risk remains significant until a patch is released and applied.

1. Immediately restrict access to the 'tickera_tickets_info' endpoint using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. 2. Monitor web server logs for unusual or repeated access attempts to this endpoint to detect potential exploitation attempts. 3. Disable or remove the Tickera plugin temporarily if sensitive data exposure cannot be otherwise mitigated. 4. Follow Tickera vendor communications closely and apply any security patches or updates as soon as they become available. 5. Implement strict role-based access controls within WordPress to limit plugin data visibility to authorized users only. 6. Consider additional encryption or tokenization of sensitive booking data stored or transmitted by the plugin. 7. Educate staff and users about phishing risks that may arise from leaked personal information. 8. Conduct regular security audits and vulnerability scans on WordPress installations to identify similar exposure risks. 9. If possible, isolate event ticketing systems from other critical infrastructure to reduce lateral movement risks.