WordPress Plugin Vulnerabilities

EventPrime < 3.4.0 - Improper Input Validation via save_event_booking

Description

The EventPrime plugin for WordPress is vulnerable to unauthorized modification of data due to improper input validation in the 'save_event_booking' function in versions up to, and including, 3.3.9. This makes it possible for unauthenticated attackers to modify the price and other attributes of purchased tickets.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.4.0

References

CVE
CVE-2024-24832
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/17cbcf67-f10d-41bc-acf7-98e5d99b50af

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
0b2a34b6-687a-4112-95e8-15bde0f4dc33

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-06 (about 2 years ago)
Last Updated
2024-02-06 (about 2 years ago)

Other

Published
Title
Published
2021-10-05
Title
Simple Download Monitor < 3.9.6 - Unauthorised Log Reset
Published
2024-02-01
Title
ARMember < 4.0.25 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2024-05-21
Title
AI ChatBot < 5.3.6 - Missing Authorization via openai_file_delete_callback
Published
2022-07-26
Title
WPGraphQL WooCommerce < 0.12.4 - Unauthenticated Coupon Codes Disclosure
Published
2021-08-23
Title
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update