CVE-2024-1053 - Vulnerability Details - OpenCVE

The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Liquidweb	Event Tickets

Configuration 1 [-]

cpe:2.3:a:liquidweb:event_tickets:*:*:*:*:free:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve

History

Fri, 07 Feb 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Liquidweb Liquidweb event Tickets
Weaknesses		CWE-862
CPEs		cpe:2.3:a:liquidweb:event_tickets:::::free:wordpress::
Vendors & Products		Liquidweb Liquidweb event Tickets

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-02-22T05:32:49.364Z

Updated: 2024-08-01T18:26:30.353Z

Reserved: 2024-01-29T20:46:49.355Z

Link: CVE-2024-1053

Vulnrichment

Updated: 2024-08-01T18:26:30.353Z

NVD

Status : Analyzed

Published: 2024-02-22T06:15:57.703

Modified: 2025-02-07T15:24:56.923

Link: CVE-2024-1053

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1053", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-29T20:46:49.355Z", "datePublished": "2024-02-22T05:32:49.364Z", "dateUpdated": "2024-08-01T18:26:30.353Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-02-22T05:32:49.364Z"}, "affected": [{"vendor": "theeventscalendar", "product": "Event Tickets and Registration", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Daffa"}], "timeline": [{"time": "2024-02-21T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1053", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T16:18:40.325327Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:54.518Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.353Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.353Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1053", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T16:18:40.325327Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:40.547Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Muhammad Daffa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "theeventscalendar", "product": "Event Tickets and Registration", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.8.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-02-21T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php"}], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-02-22T05:32:49.364Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1053", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:26:30.353Z", "dateReserved": "2024-01-29T20:46:49.355Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-02-22T05:32:49.364Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:liquidweb:event_tickets:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "95CAAF71-8C53-4425-B424-3E6CCF952148", "versionEndExcluding": "5.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves."}, {"lang": "es", "value": "El complemento Event Tickets and Registration para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n 'email' en todas las versiones hasta la 5.8.1 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, se env\u00eden por correo electr\u00f3nico la lista de asistentes."}], "id": "CVE-2024-1053", "lastModified": "2025-02-07T15:24:56.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-02-22T06:15:57.703", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}