WordPress Plugin Vulnerabilities

EventPrime < 4.0.4.0 - Missing Authorization via calendar_event_create()

Description

The EventPrime plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the calendar_event_create() function in versions up to, and including, 4.0.3.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create calendar events.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 4.0.4.0

References

CVE
CVE-2024-43223
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/67b36ed7-d7f4-4944-b721-219d1990971a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
e86c6fc9-a71b-459b-86fb-46a4f570046a

Timeline

Publicly Published
2024-08-09 (about 1 year ago)
Added
2024-08-13 (about 1 year ago)
Last Updated
2024-08-13 (about 1 year ago)

Other

Published
Title
Published
2025-06-27
Title
Pre-Publish Post Checklist <= 3.1 - Missing Authorization
Published
2025-09-22
Title
Ongkoskirim.id <= 1.0.6 - Missing Authorization
Published
2026-02-16
Title
EventPrime < 4.2.8.5 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint
Published
2025-06-12
Title
MultiVendorX < 4.2.24 - Missing Authorization
Published
2024-09-25
Title
Templately < 3.1.3 - Missing Authorization