WordPress Plugin Vulnerabilities

The Events Calendar Free & Pro <= 6.4.0 - Contributor+ Missing Authorization to Authenticated Arbitrary Events Access

Description

Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access of data due to a insufficient capability checks and restrictions on a function in various versions. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary events that they should not have access to.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.4.0.1
Plugin icon
the-events-calendar-pro
Fixed in 6.4.0.1

References

CVE
CVE-2024-1295
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/974c0e94-8d09-488a-9a09-49f0b9ce112c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Scott Kingsley Clark
Verified
No
WPVDB ID
9b46fd80-f85e-4ae1-ac9a-2fa85361c8a7

Timeline

Publicly Published
2024-05-24 (about 1 year ago)
Added
2024-05-30 (about 1 year ago)
Last Updated
2024-05-30 (about 1 year ago)

Other

Published
Title
Published
2024-02-28
Title
WPvivid Backup and Migration < 0.9.69 - Unauthenticated SQLi & DoS
Published
2024-12-14
Title
Spreadr Woocommerce < 1.0.5 - Missing Authorization
Published
2026-01-30
Title
Atarim < 4.3.2 - Missing Authorization
Published
2025-06-05
Title
BM Content Builder < 3.16.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save
Published
2025-06-05
Title
WP AutoKeyword <= 1.0 - Missing Authorization