WordPress Plugin Vulnerabilities

EventPrime < 3.3.5 - Unauthenticated Booking Price Manipulation

Description

The plugin is vulnerable to booking price manipulations due to insufficient validation and control of booking prices in versions up to, and including, 3.3.4. This makes it possible for unauthenticated attackers to make bookings with lower prices.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.3.5

References

CVE
CVE-2024-31275
URL
https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-3-3-4-booking-price-manipulation-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Joshua Chan
Verified
No
WPVDB ID
03341945-46e2-4b5c-ba08-fe107cb932d1

Timeline

Publicly Published
2024-04-05 (about 2 years ago)
Added
2024-04-12 (about 2 years ago)
Last Updated
2024-04-12 (about 2 years ago)

Other

Published
Title
Published
2026-01-08
Title
Tutor LMS – eLearning and online course solution < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
Published
2024-08-16
Title
Photo Engine < 6.4.1 - Missing Authorization
Published
2024-10-17
Title
WP REST API FNS <= 1.0.0 - Privilege Escalation
Published
2025-06-05
Title
Testimonials Showcase < 1.9.18 - Missing Authorization
Published
2025-07-22
Title
LoginWP - Pro < 4.0.8.6 - Missing Authorization to Unauthenticated Settings Update