Atomic Edge analysis of CVE-2025-67939:
The Tickera WordPress plugin, versions up to and including 3.5.6.2, contains a missing authorization vulnerability. This flaw allows authenticated users with Subscriber-level permissions or higher to perform unauthorized actions. The vulnerability resides in the plugin’s handling of hidden events, specifically within the `get_hidden_events_ids` function.

Atomic Edge research identifies the root cause in the `get_hidden_events_ids` function within `/includes/classes/class.events.php`. The function originally lacked a capability check to verify user permissions before executing its database query. The function retrieves a list of event IDs marked as hidden via the `hide_event_after_expiration` post meta. The absence of an authorization mechanism allowed any authenticated user to call this function and access potentially sensitive event data.

Exploitation requires an authenticated attacker with at least Subscriber-level access. The attacker would target the plugin’s front-end components that call the vulnerable `get_hidden_events_ids` function. This includes the Gutenberg block rendering functions in `/includes/addons/gutenberg/index.php` and the shortcode handler in `/includes/classes/class.shortcodes.php`. An attacker could manipulate requests to these components, such as by crafting specific URL parameters or interacting with Gutenberg blocks, to trigger the function and retrieve the list of hidden event IDs.

The patch modifies the `get_hidden_events_ids` function to accept an optional `$event_id` parameter. The function’s SQL query now includes a conditional check for this specific ID. More critically, the patch adds authorization checks in multiple front-end rendering functions. In `/includes/addons/gutenberg/index.php`, functions like `render_event_tickets_table_content`, `render_event_add_to_cart_rows_content`, `render_event_seating_charts_content`, and `render_event_seating_chart_legend_content` now call `TC_Events::get_hidden_events_ids($event_id)`. If the event is hidden and the request is not a REST API call, these functions return an empty `

` instead of the event content. The shortcode handler in `class.shortcodes.php` receives a similar check.

Successful exploitation leads to unauthorized information disclosure. Attackers can discover the existence and IDs of events that administrators have intentionally hidden from public view, such as expired or private events. This violates the intended access control policy and could aid in further reconnaissance or targeted attacks against the event management system.