WordPress Plugin Vulnerabilities
Event Tickets and Registration < 5.8.1 - Contributor+ Arbitrary Events Access
Description
The plugin does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
Proof of Concept
1. ADMIN: Install Event Tickets 2. ADMIN: Install Event Tickets Plus (Event Tickets Plus required for this specific shortcode that exists in the Event Tickets code) 3. ADMIN: Create pages with each status: published, private, password-protected, draft, and trashed and add one RSVP that has an end sale date of 1 week from now 4. ADMIN: Go to those pages and RSVP for each one as the currently logged in admin 5. CONTRIBUTOR: Add shortcode to any post and specify/guess the user ID and save 6. CONTRIBUTOR: Preview the post and see all pages (of any status) you shouldn't have access to and for any user you shouldn't be able to see Example shortcode: `[tribe-user-event-confirmations user="ANY_USER_ID"]`
Affects Plugins
Fixed in 5.8.1
Fixed in 5.9.1 References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Scott Kingsley Clark
Submitter
Scott Kingsley Clark
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-02-08 (about 2 months ago)
Added
2024-02-08 (about 2 months ago)
Last Updated
2024-02-08 (about 2 months ago)
WPScan 