CVE-2024-13526Missing Authorization in Eventprime

CWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 80.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Metagauss Eventprime
Timeline
PublishedMar 7

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function in all versions up to, and including, 4.0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download list of attendees for any event.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDmetagauss/eventprime< 4.0.7.4

🔴Vulnerability Details

2
CVEList
EventPrime – Events Calendar, Bookings and Tickets <= 4.0.7.3 - Missing Authorization to Authenticated (Subscriber+) Event Attendees Export2025-03-07
GHSA
GHSA-gx7j-9f5h-mcm4: The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability c2025-03-07
CVE-2024-13526 — Missing Authorization in Eventprime | cvebase