Description
Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery.

This issue affects WpEvently: from n/a through 4.1.2.
Published: 2026-06-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CWE‑352) that allows an attacker to forge requests on behalf of an authenticated user. This can enable the attacker to perform actions within the plugin without the user’s explicit consent. The exact nature of those actions is not specified in the advisory.

Affected Systems

The affected product is the WordPress Event Manager for WooCommerce plugin, codename WpEvently, developed by Magepeople. Versions up to and including 4.1.2 are impacted. The vulnerability applies to all installations running a version of the plugin within that range.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Likely, exploitation requires the victim to be logged into WordPress with permissions to use the plugin, and an attacker would target the authenticated session with a crafted request. Because no specific attack vector is detailed, the attack is inferred to rely on the typical CSRF exploitation path involving a user’s browser.

Generated by OpenCVE AI on June 11, 2026 at 09:50 UTC.

Remediation

Vendor Solution

Update the WordPress Event Manager for WooCommerce plugin to the latest available version (at least 4.1.3).


OpenCVE Recommended Actions

  • Update the WordPress Event Manager for WooCommerce plugin to version 4.1.3 or later.
  • Enable or verify that CSRF tokens are present on all state‑changing plugin forms.
  • Restrict user roles that can perform critical plugin actions to the minimum necessary.

Generated by OpenCVE AI on June 11, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Magepeopleteam
Magepeopleteam wpevently
Wordpress
Wordpress wordpress
Vendors & Products Magepeopleteam
Magepeopleteam wpevently
Wordpress
Wordpress wordpress

Thu, 11 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2.
Title WordPress Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 4.1.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}


Subscriptions

Magepeopleteam Wpevently
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T16:13:31.880Z

Reserved: 2024-04-10T19:19:25.419Z

Link: CVE-2024-32110

cve-icon Vulnrichment

Updated: 2026-06-11T15:42:20.095Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T09:16:25.400

Modified: 2026-06-11T14:42:47.007

Link: CVE-2024-32110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:30:11Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)