The Tickera plugin for WordPress, which is used for selling event tickets, has a security issue that allows anyone to run shortcodes without proper validation. This means that people who are not logged in can use this vulnerability to run any code they want.