Impact
The vulnerability is a Cross‑Site Request Forgery (CWE‑352) that allows an attacker to forge requests on behalf of an authenticated user. This can enable the attacker to perform actions within the plugin without the user’s explicit consent. The exact nature of those actions is not specified in the advisory.
Affected Systems
The affected product is the WordPress Event Manager for WooCommerce plugin, codename WpEvently, developed by Magepeople. Versions up to and including 4.1.2 are impacted. The vulnerability applies to all installations running a version of the plugin within that range.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate severity. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Likely, exploitation requires the victim to be logged into WordPress with permissions to use the plugin, and an attacker would target the authenticated session with a crafted request. Because no specific attack vector is detailed, the attack is inferred to rely on the typical CSRF exploitation path involving a user’s browser.
OpenCVE Enrichment