WordPress Plugin Vulnerabilities

EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Missing Authorization to Arbitrary Post Overwrite

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_frontend_event_submission() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the title and content of arbitrary posts. This can also be exploited by unauthenticated attackers when the allow_submission_by_anonymous_user setting is enabled.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.4.3

References

CVE
CVE-2024-1123
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/351926d4-a9be-4fbd-bdf2-8bbff41d97ef

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
82d8ee14-226c-48d2-abaa-5171643b0ad1

Timeline

Publicly Published
2024-03-08 (about 2 years ago)
Added
2024-03-08 (about 2 years ago)
Last Updated
2024-03-08 (about 2 years ago)

Other

Published
Title
Published
2026-03-17
Title
Ave Core <= 2.9.1 - Missing Authorization
Published
2023-12-07
Title
Alt Manager < 1.6.2 - Missing Authorization
Published
2023-10-13
Title
RumbleTalk Live Group Chat < 6.2.0 - Missing Authorization via handleRequest
Published
2022-01-17
Title
WP Ultimate CSV Importer < 6.4.2 - Subscriber+ Arbitrary Option Deletion
Published
2024-10-22
Title
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging < 4.23.13 - Missing Authorization