WordPress Plugin Vulnerabilities

Event Tickets and Registration < 5.8.2 - Missing Authorization

Description

The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.

Affects Plugins

Plugin icon
event-tickets
Fixed in 5.8.2

References

CVE
CVE-2024-1053
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
6b2cc7c4-8b88-4c2d-aa93-fc3078f5fa60

Timeline

Publicly Published
2024-02-21 (about 2 months ago)
Added
2024-02-21 (about 2 months ago)
Last Updated
2024-02-21 (about 2 months ago)

Other

Published
Title
Published
2023-10-16
Title
Templately < 2.2.6 - Unauthenticated Arbitrary Post Deletion
Published
2024-02-16
Title
Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure
Published
2022-08-01
Title
Duplicator < 1.4.7 - Unauthenticated Backup Download
Published
2021-08-31
Title
WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Export
Published
2021-04-14
Title
BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities