EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending | CVE 2024-1124 | Plugin Vulnerabilities

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site.

Affects Plugins

eventprime-event-calendar-management

Fixed in 3.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

ec2dd92e-4df2-454d-98dd-38e77e9a461d

Timeline

Publicly Published

2024-03-08 (about 2 years ago)

Added

2024-03-08 (about 2 years ago)

Last Updated

2024-03-08 (about 2 years ago)

Other

Published

Title

Published

2026-04-23

Title

MasterStudy LMS Pro < 4.7.16 - Missing Authorization

Published

2025-09-08

Title

AutomatorWP < 5.3.8 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

Published

2025-12-31

Title

Walker for Elementor <= 1.1.6 - Missing Authorization

Published

2024-02-02

Title

Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion

Published

2026-01-08

Title

Tutor LMS – eLearning and online course solution < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification