CVE-2024-13457 is an access control vulnerability identified in the Event Tickets and Registration plugin for WordPress, affecting all versions up to and including 5.18.1. The root cause is an Insecure Direct Object Reference (IDOR) vulnerability stemming from the lack of proper validation on the tc-order-id parameter, which is user-controlled. This parameter is used to retrieve order details, but without adequate authorization checks, an attacker can manipulate it to access order information belonging to other users. The exposed data includes sensitive details such as ticket prices, user email addresses, and order dates. The vulnerability is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score is 5.3, indicating a medium severity level primarily due to confidentiality impact without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability falls under CWE-284 (Improper Access Control), highlighting a failure to enforce proper authorization policies within the plugin's code handling order data retrieval.

The primary impact of CVE-2024-13457 is unauthorized disclosure of sensitive customer and transactional information. Attackers can access order details such as ticket prices and user emails without authentication, which can lead to privacy violations, potential phishing attacks, and reputational damage for affected organizations. Although the vulnerability does not allow modification or deletion of data, the exposure of personally identifiable information (PII) can have regulatory compliance implications, especially under data protection laws like GDPR or CCPA. Event organizers relying on this plugin may face customer trust erosion and potential legal consequences if exploited. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic attacks, especially on publicly accessible WordPress sites. However, the scope is limited to sites using this specific plugin, and the impact does not extend to system integrity or availability.

To mitigate CVE-2024-13457, organizations should immediately update the Event Tickets and Registration plugin to a patched version once available. In the absence of an official patch, administrators can implement the following practical measures: 1) Restrict access to order details pages by enforcing server-side authorization checks to validate that the requesting user owns the order associated with the tc-order-id parameter. 2) Employ Web Application Firewalls (WAFs) to detect and block suspicious parameter tampering attempts targeting the tc-order-id field. 3) Limit exposure of sensitive order data on publicly accessible endpoints and consider requiring user authentication for accessing order details. 4) Monitor web server logs for unusual access patterns or repeated attempts to enumerate order IDs. 5) Educate site administrators on the risks of exposing order information and encourage regular plugin updates and security audits. 6) If feasible, implement rate limiting on order detail requests to reduce the risk of automated exploitation.