CVE-2024-11396
Published: 14 January 2025
Description
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
Security Summary
CVE-2024-11396, published on 2025-01-14, is an information exposure vulnerability (CWE-359) in the Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress, affecting all versions up to and including 1.4.3. The flaw occurs in the Visitors List Export feature, where a CSV file is generated in the publicly accessible wp-content folder using a hardcoded filename, enabling unauthorized access to sensitive visitor data.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). By requesting the predictable CSV file URL, they can extract event visitor details, including first names, last names, email addresses, and phone numbers.
Advisories provide further technical details for mitigation; the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve outlines the issue, while the plugin source code at https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92 identifies the vulnerable export logic at line 92. Security practitioners should check for plugin updates beyond 1.4.3 and review server configurations to restrict wp-content access.
Details
- CWE(s)