CVE-2024-1321Insufficient Verification of Data Authenticity in Eventprime

CWE-345Insufficient Verification of Data AuthenticityCWE-1321Prototype PollutionCWE-693Protection Mechanism FailureCWE-400Uncontrolled Resource ConsumptionCWE-94Code Injection54 documents6 sources
Severity
5.3MEDIUMNVD
GHSA4.3
EPSS
0.1%
top 69.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Metagauss Eventprime
Timeline
PublishedMar 13
Latest updateApr 12

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

45
VulDB
EventPrime Plugin up to 3.4.2 on WordPress Booking Payment improper authentication2026-04-12
GHSA
@alizeait/unflatto Prototype Pollution2025-04-01
GHSA
depath and cool-path vulnerable to Prototype Pollution via `set()` Method2025-03-28
GHSA
Redoc Prototype Pollution via `Module.mergeObjects` Component2025-03-28
GHSA
utils-extend Prototype Pollution2025-02-06

📋Vendor Advisories

8
Red Hat
uplot: Prototype Pollution in uplot2024-10-01
Red Hat
plugin-catalog-backend: prototype pollution vulnerability2024-09-17
Red Hat
dset: Prototype Pollution2024-09-11
Red Hat
fast-loops: prototype pollution via objectMergeDeep2024-07-01
Red Hat
mysql2: vulnerable to Prototype Pollution due to improper user input sanitization2024-05-29
CVE-2024-1321 — Metagauss Eventprime vulnerability | cvebase