Due to missing authorization controls in the "admin_init" hooks, all personal data from registered users of an event could be exported into a downloadable PDF file by every unauthenticated user. The event ID could be read from the page source and/or easily enumerated in sequence.
According to the original researcher, "After several attempts to contact the Plugin vendor (Twitter, email), we followed generally accepted disclosure guidelines. A lengthy correspondence with Tickera support was not successful as well."
April 8th, 2020 - Report Received & Escalated to WP Plugins Team
April 9th, 2002 - v188.8.131.52 released
April 11th, 2020 - Disclosure
|Proof of Concept
POST /wp-admin/admin-post.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate