CVE-2024-11396
published 2025-01-14CVE-2024-11396: The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and…
PriorityP338medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.94%
77.6th percentile
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awordpresslife | event_monster_manager_ticket_booking | <= 1.4.3 | — |
| awplife | event_monster | < 1.4.4 | 1.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/event-monster/readme.txt
otherFirst Name, Last Name, Email, Phone, Event
- →Use Shodan or FOFA to identify exposed WordPress instances running the Event Monster plugin via the query http.html:"wp-content/plugins/event-monster" or body="wp-content/plugins/event-monster".
- ·The CSV file is only present on disk when an administrator has triggered a Visitors List Export; the file will not exist on sites where no export has been performed. ↗
- ·The vulnerability is unauthenticated — no credentials or session tokens are required to retrieve the CSV file, making it trivially exploitable by any network attacker. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export
nuclei·CVSS 5.3
CVE-2024-11396 [MEDIUM] Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export
Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export
The Event Monster Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
Template:
id: CVE-2024-11396
info:
name: Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export
author: s4e-io
severity: medium
description: |
The Event Monster Event Management, Tickets Booking, Upcoming Event plugin for WordPres
No writeups or analysis indexed.
2025-01-14
Published