CVE-2024-1295 - OpenCVE

The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tri	The Events Calendar

Configuration 1 [-]

cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*

Configuration 2 [-]

cpe:2.3:a:tri:the_events_calendar:*:*:pro:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/

History

Wed, 07 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tri Tri the Events Calendar
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:tri:the_events_calendar::::::wordpress::* cpe:2.3:a:tri:the_events_calendar:::pro:::wordpress::
Vendors & Products		Tri Tri the Events Calendar

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-06-14T06:00:02.149Z

Updated: 2024-08-01T18:33:25.358Z

Reserved: 2024-02-06T21:24:31.763Z

Link: CVE-2024-1295

Vulnrichment

Updated: 2024-08-01T18:33:25.358Z

NVD

Status : Analyzed

Published: 2024-06-14T06:15:10.937

Modified: 2024-08-07T19:06:16.393

Link: CVE-2024-1295

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1295", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2024-02-06T21:24:31.763Z", "datePublished": "2024-06-14T06:00:02.149Z", "dateUpdated": "2024-08-01T18:33:25.358Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-06-14T06:00:02.149Z"}, "title": "The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access", "problemTypes": [{"descriptions": [{"description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "events-calendar-pro", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "6.4.0.1"}], "defaultStatus": "unaffected"}, {"vendor": "Unknown", "product": "The Events Calendar", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "6.4.0.1"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)"}], "references": [{"url": "https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Scott Kingsley Clark", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"affected": [{"vendor": "theeventscalendar", "product": "the_events_calendar", "cpes": ["cpe:2.3:a:theeventscalendar:the_events_calendar:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "6.4.0.1", "versionType": "semver"}]}, {"vendor": "theeventscalendar", "product": "events_calendar_pro", "cpes": ["cpe:2.3:a:theeventscalendar:events_calendar_pro:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "6.4.0.1", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T16:55:05.896656Z", "id": "CVE-2024-1295", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T17:02:16.338Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.358Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.358Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-1295", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T16:55:05.896656Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:theeventscalendar:the_events_calendar:*:*:*:*:*:*:*:*"], "vendor": "theeventscalendar", "product": "the_events_calendar", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:theeventscalendar:events_calendar_pro:*:*:*:*:*:*:*:*"], "vendor": "theeventscalendar", "product": "events_calendar_pro", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T16:55:37.030Z"}}], "cna": {"title": "The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Scott Kingsley Clark"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "events-calendar-pro", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Unknown", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-06-14T06:00:02.149Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1295", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:33:25.358Z", "dateReserved": "2024-02-06T21:24:31.763Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2024-06-14T06:00:02.149Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "10690677-7DF4-4F8D-883E-86BCE8A1C591", "versionEndExcluding": "6.4.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tri:the_events_calendar:*:*:pro:*:*:wordpress:*:*", "matchCriteriaId": "2CE12E8D-36C5-4F0E-84AB-345AFAC81079", "versionEndExcluding": "6.4.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)"}, {"lang": "es", "value": "El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no deber\u00edan tener acceso. (por ejemplo, eventos protegidos con contrase\u00f1a, borradores, etc.)"}], "id": "CVE-2024-1295", "lastModified": "2024-08-07T19:06:16.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-14T06:15:10.937", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}