WordPress Plugin Vulnerabilities

The Events Calendar < 6.2.9 - Unauthenticated Sensitive Information Exposure

Description

The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.2.9

References

CVE
CVE-2023-6557
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nicolas Decayeux
Verified
No
WPVDB ID
27b3156e-25af-4976-876e-db364a366213

Timeline

Publicly Published
2024-01-12 (about 2 years ago)
Added
2024-01-12 (about 2 years ago)
Last Updated
2024-01-12 (about 2 years ago)

Other

Published
Title
Published
2025-08-06
Title
WP Lead Capturing Pages < 2.6 - Missing Authorization to Arbitrary Content Deletion
Published
2025-03-04
Title
Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme <= 4.5.7 - Missing Authorization to Authenticated (Subscriber+) Demo Import
Published
2025-01-31
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.2.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Published
2025-12-31
Title
Headinger for Elementor <= 1.1.4 - Missing Authorization
Published
2025-06-09
Title
Membership For WooCommerce < 2.8.2 - Missing Authorization