Directory Traversal Vulnerability in Eventer Plugin for WordPress
CVE-2024-10799

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Eventer - WordPress Event & Booking Manager Plugin
Vendor: CVE Published:; 17 January 2025

Summary

The Eventer plugin for WordPress is susceptible to a Directory Traversal vulnerability affecting all versions up to and including 3.9.7. This issue arises through the eventer_woo_download_tickets() function, allowing authenticated users with at least Subscriber-level access to exploit it. An attacker can potentially access and read the content of arbitrary files on the server, which could contain sensitive data and lead to further exploitation of the web application. Website administrators are advised to review affected systems and apply patches or updates where applicable.

Affected Version(s)

Eventer - WordPress Event & Booking Manager Plugin * <= 3.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/eventer-wordpress-event-manag...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 17, 2025
Vulnerability Reserved
Nov 4, 2024

Credit

Tonn