WordPress Plugin Vulnerabilities

EventPrime – Events Calendar, Bookings and Tickets < 4.0.7.4 - Missing Authorization to Authenticated (Subscriber+) Event Attendees Export

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function in all versions up to, and including, 4.0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download list of attendees for any event.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 4.0.7.4

References

CVE
CVE-2024-13526
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2be578d9-27c3-4a16-a634-1514ed97a1a2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
83156a56-87bc-4d4a-bc43-7f6f3bb0c3bd

Timeline

Publicly Published
2025-03-06 (about 1 year ago)
Added
2025-03-11 (about 1 year ago)
Last Updated
2025-03-11 (about 1 year ago)

Other

Published
Title
Published
2026-03-20
Title
Appmax <= 1.0.3 - Order Status Manipulation and Arbitrary Order Creation
Published
2025-05-09
Title
SMS Alert Order Notifications – WooCommerce < 3.8.2 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function
Published
2024-04-30
Title
WooCommerce AWeber Newsletter Subscription < 4.0.3 - Missing Authorization to Access Token Modification
Published
2024-06-20
Title
Smush < 3.16.5 - Subscriber+ Resmush List Deletion
Published
2025-05-16
Title
Simple Link Directory Pro < 14.8.1 - Missing Authorization