WordPress Plugin Vulnerabilities

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendar_events_delete() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.4.4

References

CVE
CVE-2024-1125
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b5278afb-9db3-4b1d-bb2f-e6595f0ac6dc

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
caffbfba-c623-4cab-887c-8610317ae8d6

Timeline

Publicly Published
2024-03-08 (about 2 years ago)
Added
2024-03-08 (about 2 years ago)
Last Updated
2024-03-08 (about 2 years ago)

Other

Published
Title
Published
2024-07-19
Title
Getwid – Gutenberg Blocks < 2.0.11 - Missing Authentication to MailChimp API key update
Published
2024-08-23
Title
ImageRecycle pdf & image compression < 3.1.15 - Missing Authorization in Several AJAX Actions
Published
2026-02-18
Title
TrueBooker < 1.1.7 - Missing Authorization
Published
2026-01-06
Title
Guest posting / Frontend Posting / Front Editor – WP Front User Submit < 5.0.1 - Missing Authorization to Unauthenticated Media Deletion
Published
2024-08-01
Title
WordPress File Upload < 4.24.8 - Missing Authorization