CVE-2024-1295

The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*

Configuration 2 (hide)

cpe:2.3:a:tri:the_events_calendar:*:*:pro:*:*:wordpress:*:*

History

07 Aug 2024, 19:06

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/ -~~	() https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/ - Exploit, Third Party Advisory
CWE		NVD-CWE-Other
First Time		Tri Tri the Events Calendar
CPE		cpe:2.3:a:tri:the_events_calendar:::pro:::wordpress:: cpe:2.3:a:tri:the_events_calendar::::::wordpress::*

01 Aug 2024, 13:46

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

17 Jun 2024, 12:42

Type	Values Removed	Values Added
Summary		(es) El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no deberían tener acceso. (por ejemplo, eventos protegidos con contraseña, borradores, etc.)

14 Jun 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-14 06:15

Updated : 2024-08-07 19:06

NVD link : CVE-2024-1295

Mitre link : CVE-2024-1295

CVE.ORG link : CVE-2024-1295

JSON object : View

Products Affected

tri

the_events_calendar

CWE

NVD-CWE-Other

{"id": "CVE-2024-1295", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-06-14T06:15:10.937", "references": [{"url": "https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db/", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)"}, {"lang": "es", "value": "El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no deber\u00edan tener acceso. (por ejemplo, eventos protegidos con contrase\u00f1a, borradores, etc.)"}], "lastModified": "2024-08-07T19:06:16.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "10690677-7DF4-4F8D-883E-86BCE8A1C591", "versionEndExcluding": "6.4.0.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tri:the_events_calendar:*:*:pro:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "2CE12E8D-36C5-4F0E-84AB-345AFAC81079", "versionEndExcluding": "6.4.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}