WordPress Plugin Vulnerabilities

Events Manager < 6.4.7.2 - Cross-Site Request Forgery

Description

The Events Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.4.7.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
events-manager
Fixed in 6.4.7.2

References

CVE
CVE-2024-30421
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/86351e2c-8c5a-4d71-bd73-d5ae1f03038f

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
092881d5-b380-4969-a529-7df07013d96e

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2024-06-18
Title
Hueman < 3.7.25 - Cross-Site Request Forgery to Notice Dismissal
Published
2023-03-29
Title
Wp Ultimate Review < 2.1.0 - Settings Update via CSRF
Published
2025-06-19
Title
TM Replace Howdy <= 1.4.2 - Cross-Site Request Forgery
Published
2025-08-15
Title
LatestCheckins <= 1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2019-06-19
Title
Personalized WooCommerce Cart Page <= 2.4 - Cross-Site Request Forgery (CSRF)