CVE-2024-1126

2024-03-1315:27:16

Wordfence

www.cve.org

eventprime

wordpress

unauthorized access

data

missing capability check

vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

9.0%

JSON

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.

CNA Affected

[
  {
    "vendor": "metagauss",
    "product": "EventPrime – Events Calendar, Bookings and Tickets",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.4.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033882%40eventprime-event-calendar-management&new=3033882%40eventprime-event-calendar-management&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/d266b6ee-24ec-4363-a986-5ccd4db5ae3c?source=cve