Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13755

CVE-2026-13755: Tickera WordPress Plugin XSS Vulnerability

CVE-2026-13755 is a stored cross-site scripting flaw in the Tickera WordPress plugin that allows authenticated attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-13755 Overview

CVE-2026-13755 is a stored cross-site scripting (XSS) vulnerability affecting the Tickera – Sell Tickets & Manage Events plugin for WordPress. The flaw exists in all versions up to and including 3.6.0.0 and stems from insufficient input sanitization and output escaping on the price_wrapper shortcode attribute. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. The injected scripts execute when a user views the affected page, but only if that user has the referenced ticket ID stored in their cart cookie. The vulnerability is tracked as [CWE-79] Improper Neutralization of Input During Web Page Generation.

Critical Impact

Contributor-level users can persist JavaScript into WordPress pages that fires against site visitors who have added the referenced ticket to their cart.

Affected Products

  • Tickera – Sell Tickets & Manage Events plugin for WordPress
  • All versions up to and including 3.6.0.0
  • WordPress sites running the vulnerable class.shortcodes.php component

Discovery Timeline

  • 2026-07-16 - CVE-2026-13755 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-13755

Vulnerability Analysis

The Tickera plugin exposes shortcodes that render ticket-related markup on WordPress pages. The price_wrapper attribute passed to one of these shortcodes is embedded into the generated HTML without adequate sanitization or output escaping. An attacker with contributor privileges can craft a post or page that supplies a malicious price_wrapper value containing JavaScript. When rendered, the payload becomes part of the page's stored HTML and executes in the browser of any visitor whose session state satisfies the cart cookie condition.

The affected logic sits inside the plugin's shortcode handling code in includes/classes/class.shortcodes.php, referenced at lines 33, 212, and 232 of the 3.6.0.0 tag. The fix landed in WordPress Changeset 3605637.

Root Cause

The root cause is missing input sanitization on the price_wrapper shortcode attribute combined with missing output escaping when that value is written into the page markup. WordPress provides helpers such as esc_attr() and wp_kses() for these cases, and neither was applied to the attacker-controlled attribute. This turns a normally trusted shortcode parameter into an HTML/JS injection sink.

Attack Vector

Exploitation requires an authenticated account at contributor level or above. The attacker publishes or edits content containing the Tickera shortcode with a crafted price_wrapper attribute holding a JavaScript payload. The stored payload executes only for visitors whose cart cookie references the ticket ID cited in the shortcode. Successful execution runs script in the origin of the WordPress site, allowing session token theft, forced navigation, or actions performed as the victim user. See the Wordfence Vulnerability Report and the vulnerable code at class.shortcodes.php L212.

Detection Methods for CVE-2026-13755

Indicators of Compromise

  • Tickera shortcodes stored in wp_posts containing price_wrapper attribute values with <script>, on*= event handlers, or javascript: URIs.
  • Contributor or author accounts publishing or editing pages that include Tickera ticket shortcodes outside their normal workflow.
  • Outbound requests from site visitors to unfamiliar domains immediately after loading pages that render Tickera ticket components.

Detection Strategies

  • Query the WordPress database for shortcode instances referencing price_wrapper and inspect the attribute contents for HTML or JavaScript tokens.
  • Review the plugin file includes/classes/class.shortcodes.php against version 3.6.0.0 to confirm whether the patched build is running.
  • Correlate WordPress audit logs of post creation and edits by contributor-level accounts with page rendering telemetry to identify suspicious content.

Monitoring Recommendations

  • Enable a WordPress activity log plugin to capture post revisions by non-administrator roles.
  • Alert on responses served from the WordPress origin containing inline <script> fragments near Tickera-generated markup.
  • Track anomalous cart cookie interactions and unexpected DOM script execution during authenticated shopping sessions.

How to Mitigate CVE-2026-13755

Immediate Actions Required

  • Update the Tickera – Sell Tickets & Manage Events plugin to the version released in WordPress Changeset 3605637, which supersedes 3.6.0.0.
  • Audit all posts and pages that use Tickera shortcodes and remove any price_wrapper values containing HTML or script content.
  • Review contributor-level and higher accounts, rotate credentials, and remove accounts that are no longer required.

Patch Information

The vendor addressed the issue by adding input sanitization and output escaping to the shortcode handling logic in class.shortcodes.php. Administrators should upgrade to the fixed release published after 3.6.0.0 via the WordPress plugin repository. Confirm the plugin version in the WordPress admin console after the upgrade completes.

Workarounds

  • Restrict the contributor and author roles from using Tickera shortcodes until the plugin is patched.
  • Temporarily disable the Tickera plugin on production sites that cannot upgrade immediately.
  • Deploy a web application firewall rule that blocks shortcode submissions containing <, >, or javascript: inside the price_wrapper attribute.
bash
# Configuration example
wp plugin update tickera-event-ticketing-system
wp plugin get tickera-event-ticketing-system --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.