WordPress Plugin Vulnerabilities

EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Unauthenticated Booking Payment Bypass

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.4.3

References

CVE
CVE-2024-1321
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/765d0933-8db2-471c-ad4e-e19d3b4ff015

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
b3e7a6f5-86c4-4cc4-ab3c-c6befba88f2c

Timeline

Publicly Published
2024-03-08 (about 2 years ago)
Added
2024-03-08 (about 2 years ago)
Last Updated
2024-03-08 (about 2 years ago)

Other

Published
Title
Published
2024-04-25
Title
Car Dealer < 4.16 - Admin+ Content Injection
Published
2024-06-28
Title
Photo Gallery by Ays < 5.7.1 - Administrator+ HTML Injection
Published
2024-02-20
Title
Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A
Published
2026-02-21
Title
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce < 6.4.8 - Unauthenticated Email Relay
Published
2024-06-06
Title
PPOM for WooCommerce < 32.0.21 - Unauthenticated Content Injection Vulnerability