The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) – Contributor+ Arbitrary Events Access | CVE 2024-1295

Description

The plugin does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)

Proof of Concept

Free:
1. ADMIN: Install The Events Calendar
2. ADMIN: Create events with each status: published, private, password-protected, draft, and trashed
3. CONTRIBUTOR: Add shortcode to any post and specify/guess the event ID and save
4. CONTRIBUTOR: Preview the post and see event you shouldn't have access to

Example shortcode: `[tribe:event-details id="ANY_EVENT_ID"]`

Pro:
1. ADMIN: Install The Events Calendar
2. ADMIN: Install Events Calendar Pro
3. ADMIN: Create events with each status: published, private, password-protected, draft, and trashed
4. CONTRIBUTOR: Add shortcode to any post and specify/guess the event ID and save
5. CONTRIBUTOR: Preview the post and see event you shouldn't have access to

Example shortcode: `[tribe_event_inline id="ANY_EVENT_ID"]{title} {content}[/tribe_event_inline]`