This plugin is an odd beast: parts of it are very well architected, others not. It contains numerous issues of concern.
Contains numerous unescaped outputs and unfiltered inputs:
- ./lib/the-events-calendar.class.php lines 3219 onwards
- ajax_handler_ticket_add in ./lib/tickets/tribe-tickets.php
This plugin also passes unsanitised input into hook arguments and abstract functions, making it very hard to trace how those inputs are used.
Although many SQL statements are prepared, a large one is not in lib/tribe-admin-events-list.class.php at line 3617.
The plugin also uses call_user_func with unvalidated inputs. These are not trivially exploitable (as far as we are aware) because the callable is split into a class name and method:
// Note: $vars is derived from $_GET['attendee'] without whitelisting $obj = call_user_func( array( $vars, 'get_instance' ) );
However, this is definitely an idiom which needs to be employed with greater care.
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
Numerous examples of poor security practice, probably contains XSS, indications of SQLi and arbitrary code vulnerabilities as well (not investigated).