CVE-2024-4665

CWE-639 — Insecure Direct Object Reference3 documents3 sources

Severity

6.4MEDIUM

EPSS

0.2%

top 62.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Eventprime Metagauss Eventprime

Timeline

PublishedMay 15

Description

The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/eventprime3.4.9 — 3.5.0

▶NVDmetagauss/eventprime< 3.5.0

🔴Vulnerability Details

CVEList

EventPrime – Events Calendar, Bookings and Tickets < 3.5.0 - Subscriber+ Arbitrary booking settings update↗2025-05-15

▶

GHSA

GHSA-6p5x-4w46-32gx: The EventPrime WordPress plugin before 3↗2025-05-15

▶