CVE-2024-1053

The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve	Third Party Advisory
https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:liquidweb:event_tickets:*:*:*:*:free:wordpress:*:*

History

07 Feb 2025, 15:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:liquidweb:event_tickets:::::free:wordpress::
CWE		CWE-862
First Time		Liquidweb event Tickets Liquidweb
References	~~() https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php -~~	() https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve - Third Party Advisory

Information

Published : 2024-02-22 06:15

Updated : 2025-02-07 15:24

NVD link : CVE-2024-1053

Mitre link : CVE-2024-1053

CVE.ORG link : CVE-2024-1053

JSON object : View

Products Affected

liquidweb

event_tickets

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-1053", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-02-22T06:15:57.703", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves."}, {"lang": "es", "value": "El complemento Event Tickets and Registration para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n 'email' en todas las versiones hasta la 5.8.1 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, se env\u00eden por correo electr\u00f3nico la lista de asistentes."}], "lastModified": "2025-02-07T15:24:56.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liquidweb:event_tickets:*:*:*:*:free:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "95CAAF71-8C53-4425-B424-3E6CCF952148", "versionEndExcluding": "5.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}