CVE-2024-1316 (GCVE-0-2024-1316)
Vulnerability from cvelistv5 – Published: 2024-03-04 21:00 – Updated: 2024-08-28 15:21
VLAI?
Title
Event Tickets and Registration < 5.8.1 - Contributor+ Arbitrary Events Access
Summary
The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Unknown | Event Tickets and Registration |
Affected:
0 , < 5.8.1
(semver)
|
|||||||
|
|||||||||
Credits
Scott Kingsley Clark
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:theeventscalendar:eventbrite_tickets:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eventbrite_tickets",
"vendor": "theeventscalendar",
"versions": [
{
"lessThan": "5.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1316",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T15:21:23.557368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:21:35.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Event Tickets and Registration",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Events Tickets Plus",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Kingsley Clark"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn\u0027t have access to. (e.g. draft, private, pending review, pw-protected, and trashed events)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-04T21:00:09.876Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Event Tickets and Registration \u003c 5.8.1 - Contributor+ Arbitrary Events Access",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-1316",
"datePublished": "2024-03-04T21:00:09.876Z",
"dateReserved": "2024-02-07T16:09:47.068Z",
"dateUpdated": "2024-08-28T15:21:35.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn\u0027t have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).\"}, {\"lang\": \"es\", \"value\": \"El complemento Event Tickets and Registration de WordPress anterior a 5.8.1, el complemento Events Tickets Plus de WordPress anterior a 5.9.1 no impide que los usuarios con al menos el rol de colaborador filtren la existencia de ciertos eventos a los que no deber\\u00edan tener acceso. (por ejemplo, eventos borrador, privados, pendientes de revisi\\u00f3n, protegidos por contrase\\u00f1a y eliminados).\"}]",
"id": "CVE-2024-1316",
"lastModified": "2024-11-21T08:50:19.090",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2024-03-04T21:15:07.007",
"references": "[{\"url\": \"https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/\", \"source\": \"contact@wpscan.com\"}, {\"url\": \"https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Awaiting Analysis"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-1316\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2024-03-04T21:15:07.007\",\"lastModified\":\"2025-06-27T14:13:27.050\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn\u0027t have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).\"},{\"lang\":\"es\",\"value\":\"El complemento Event Tickets and Registration de WordPress anterior a 5.8.1, el complemento Events Tickets Plus de WordPress anterior a 5.9.1 no impide que los usuarios con al menos el rol de colaborador filtren la existencia de ciertos eventos a los que no deber\u00edan tener acceso. (por ejemplo, eventos borrador, privados, pendientes de revisi\u00f3n, protegidos por contrase\u00f1a y eliminados).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liquidweb:event_tickets:*:*:*:*:free:wordpress:*:*\",\"versionEndExcluding\":\"5.8.1\",\"matchCriteriaId\":\"38606711-F38F-4EDD-933A-6E56180236EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liquidweb:event_tickets:*:*:*:*:plus:wordpress:*:*\",\"versionEndExcluding\":\"5.9.1\",\"matchCriteriaId\":\"4DF28AAA-1A23-4675-9FC1-01B6E1CAC2C7\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:33:25.700Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1316\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-06T15:21:23.557368Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:theeventscalendar:eventbrite_tickets:*:*:*:*:*:*:*:*\"], \"vendor\": \"theeventscalendar\", \"product\": \"eventbrite_tickets\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.8.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-28T15:21:19.565Z\"}}], \"cna\": {\"title\": \"Event Tickets and Registration \u003c 5.8.1 - Contributor+ Arbitrary Events Access\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Scott Kingsley Clark\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"WPScan\"}], \"affected\": [{\"vendor\": \"Unknown\", \"product\": \"Event Tickets and Registration\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.8.1\", \"versionType\": \"semver\"}], \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Unknown\", \"product\": \"Events Tickets Plus\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.9.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://wpscan.com/vulnerability/d80dfe2f-207d-4cdf-8c71-27936c6318e5/\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\"]}], \"x_generator\": {\"engine\": \"WPScan CVE Generator\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn\u0027t have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"shortName\": \"WPScan\", \"dateUpdated\": \"2024-03-04T21:00:09.876Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-1316\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-28T15:21:35.718Z\", \"dateReserved\": \"2024-02-07T16:09:47.068Z\", \"assignerOrgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"datePublished\": \"2024-03-04T21:00:09.876Z\", \"assignerShortName\": \"WPScan\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…