CVE-2024-1124 - Vulnerability Details - OpenCVE

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metagauss	Eventprime

Configuration 1 [-]

cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve

History

Wed, 15 Jan 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Metagauss Metagauss eventprime
Weaknesses		CWE-862
CPEs		cpe:2.3:a:metagauss:eventprime::::::wordpress::*
Vendors & Products		Metagauss Metagauss eventprime

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-03-09T07:01:04.693Z

Updated: 2024-08-01T18:26:30.510Z

Reserved: 2024-01-31T14:07:51.809Z

Link: CVE-2024-1124

Vulnrichment

Updated: 2024-08-01T18:26:30.510Z

NVD

Status : Analyzed

Published: 2024-03-09T07:15:08.000

Modified: 2025-01-15T21:21:12.120

Link: CVE-2024-1124

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1124", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-31T14:07:51.809Z", "datePublished": "2024-03-09T07:01:04.693Z", "dateUpdated": "2024-08-01T18:26:30.510Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-09T07:01:04.693Z"}, "affected": [{"vendor": "metagauss", "product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EventPrime \u2013 Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-03-08T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-11T14:26:51.647667Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:59:40.679Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.510Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.510Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-11T14:26:51.647667Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:16.692Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metagauss", "product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-08T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The EventPrime \u2013 Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-09T07:01:04.693Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1124", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:26:30.510Z", "dateReserved": "2024-01-31T14:07:51.809Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-03-09T07:01:04.693Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A668DE1F-72F6-41C6-A3FE-0EF956389DD6", "versionEndExcluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The EventPrime \u2013 Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site."}, {"lang": "es", "value": "El complemento EventPrime \u2013 Events Calendar, Bookings and Tickets para WordPress es vulnerable al env\u00edo de correo electr\u00f3nico no autorizado debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n ep_send_attendees_email() en todas las versiones hasta la 3.4.1 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, env\u00eden correos electr\u00f3nicos arbitrarios con contenido arbitrario desde el sitio."}], "id": "CVE-2024-1124", "lastModified": "2025-01-15T21:21:12.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-03-09T07:15:08.000", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043888%40eventprime-event-calendar-management&new=3043888%40eventprime-event-calendar-management&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346049ca-1bc5-4e02-9f38-d1f64338709d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}