The Events Calendar < 6.8.2.1 – Unauthenticated Password Protected Event Disclosure | CVE 2024-5333

Description

The plugin is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.

Proof of Concept

1. Create a password protected event
2. See the event details included in the REST APIs:

https://example.com/wp-json/tribe/events/v1/events/ (fixed in 6.8.2.1)
http://example.com/wp-json/tribe/events/v1/events/<event-id> (fixed in 6.5.0.1)

Affects Plugins

the-events-calendar

Fixed in 6.8.2.1

References

CVE

CVE-2024-5333

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-639

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Felipe Caon

Submitter

caon

Submitter website

https://caon.io

Verified

Yes

WPVDB ID

764b5a23-8b51-4882-b899-beb54f684984

Timeline

Publicly Published

2024-11-25 (about 1 year ago)

Added

2024-11-25 (about 1 year ago)

Last Updated

2025-08-25 (about 4 months ago)

Other

Published

Title

Published

2025-01-06

Title

WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.6- Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-04-01

Title

JS Job Manager <= 2.0.2 - Authenticated Insecure Direct Object Reference

Published

2021-09-22

Title

WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

Published

2025-08-15

Title

School Management <= 93.1.0 - Unauthenticated Insecure Direct Object Reference

Published

2024-06-06

Title

Tutor LMS – eLearning and online course solution < 2.7.2 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion