5.3

CVE-2024-11396

Event monster <= 1.4.3 - Information Exposure Via Visitors List Export

Event monster <= 1.4.3 - Information Exposure Via Visitors List Export

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
Mögliche Gegenmaßnahme
Event Monster – Event Manager, Ticket Booking & Registration: Update to version 1.4.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AwplifeEvent Monster SwPlatformwordpress Version < 1.4.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Event Monster – Event Manager, Ticket Booking & Registration
Version *-1.4.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.94% 0.775
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12
Third Party Advisory