Unauthorized Access Vulnerability in Eventer Plugin for WordPress
CVE-2024-11134
6.5MEDIUM
Key Information:
- Vendor
- Imithemes
- Status
- Eventer - WordPress Event & Booking Manager Plugin
- Vendor
- CVE Published:
- 3 February 2025
Summary
The Eventer plugin for WordPress is affected by a vulnerability that allows unauthorized access to sensitive data due to a missing capability check in the 'eventer_export_bookings_csv' function. Authenticated attackers with subscriber-level permissions or higher can exploit this weakness to download booking records, which may include personal identifiers of customers. This issue is present in all versions of the plugin up to and including version 3.9.9, posing a significant risk of personal data exposure for users.
Affected Version(s)
Eventer - WordPress Event & Booking Manager Plugin * <= 3.9.9
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
István Márton