Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Eventespresso Subscribe
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-6883 1 Eventespresso 1 Event Espresso 2025-07-10 N/A 4.3 MEDIUM
The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings.
CVE-2017-14760 1 Eventespresso 1 Event Espresso Lite 2025-04-20 7.5 HIGH 9.8 CRITICAL
SQL Injection exists in /includes/event-management/index.php in the event-espresso-free (aka Event Espresso Lite) plugin v3.1.37.12.L for WordPress via the recurrence_id parameter to /wp-admin/admin.php.
CVE-2017-1002026 1 Eventespresso 1 Event Espresso 2025-04-20 6.5 MEDIUM 8.8 HIGH
Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement.
CVE-2021-4404 1 Eventespresso 1 Event Espresso 4 Decaf 2024-11-21 N/A 4.3 MEDIUM
The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2020-26153 1 Eventespresso 1 Event Espresso 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.