Users with contributor role can leak sensitive event details
CVE-2024-1295

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Events-calendar-pro; The Events Calendar
Vendor: CVE Published:; 14 June 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)

Affected Version(s)

events-calendar-pro 0 < 6.4.0.1

The Events Calendar 0 < 6.4.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1295 - Proof of Concept

References

https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jun 14, 2024
👾
Exploit known to exist
Jun 14, 2024
Vulnerability published
Jun 14, 2024
Vulnerability Reserved
Feb 6, 2024

Credit

Scott Kingsley Clark

WPScan