cbcvebase.
CVE-2024-11396
published 2025-01-14

CVE-2024-11396: The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and…

PriorityP338medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.94%
77.6th percentile
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.

Affected

2 ranges
VendorProductVersion rangeFixed in
awordpresslifeevent_monster_manager_ticket_booking<= 1.4.3
awplifeevent_monster< 1.4.41.4.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/visitors-list.csv
path/wp-content/plugins/event-monster/readme.txt
otherFirst Name, Last Name, Email, Phone, Event
  • Use Shodan or FOFA to identify exposed WordPress instances running the Event Monster plugin via the query http.html:"wp-content/plugins/event-monster" or body="wp-content/plugins/event-monster".
  • ·The CSV file is only present on disk when an administrator has triggered a Visitors List Export; the file will not exist on sites where no export has been performed.
  • ·The vulnerability is unauthenticated — no credentials or session tokens are required to retrieve the CSV file, making it trivially exploitable by any network attacker.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.