Event Tickets and Registration < 5.8.3 – Improper Authorization to Information Disclosure | CVE 2024-2261 | Plugin Vulnerabilities

Description

The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses.

Affects Plugins

Fixed in 5.8.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2e42dd1c-adf7-471a-a14a-9038c56413a2

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

ea8851f3-2129-4242-bcc5-9365543d5c1e

Timeline

Publicly Published

2024-03-26 (about 2 years ago)

Added

2024-03-26 (about 2 years ago)

Last Updated

2024-03-26 (about 2 years ago)

Other

Published

Title

Published

2024-04-05

Title

BookingPress < 1.0.82 - Authenticated (Customer+) Insecure Direct Object Reference

Published

2025-11-29

Title

StreamTube Core < 4.79 - Unauthenticated Arbitrary User Password Change

Published

2024-12-03

Title

LA-Studio Element Kit for Elementor < 1.4.5 - Authenticated (Contributor+) Post Disclosure

Published

2026-03-12

Title

Formidable Forms < 6.29 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter

Published

2026-04-14

Title

Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie