Unauthorized Access to Private or Password-Protected Events Due to Missing Authorization Checks in EventPrime Plugin
CVE-2024-8369

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Eventprime – Events Calendar, Bookings And Tickets
Vendor: CVE Published:; 10 September 2024

Summary

The Events Calendar, Bookings and Tickets plugin for WordPress has a security vulnerability that compromises private and password-protected events. Versions up to and including 4.0.4.3 lack proper authorization checks, enabling unauthorized individuals to access sensitive event information without the need for authentication. This could result in unwanted exposure of private event details, potentially affecting user privacy and data security.

Affected Version(s)

EventPrime – Events Calendar, Bookings and Tickets * <= 4.0.4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/eventprime-event-calendar-m...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 10, 2024
Vulnerability Reserved
Aug 31, 2024

Credit

Miguel Santareno