CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2024-11396 – Event monster <= 1.4.3 - Information Exposure Via Visitors List Export
https://notcve.org/view.php?id=CVE-2024-11396
13 Jan 2025 — The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number. WordPress Event Monster plugin ... • https://packetstorm.news/files/id/188663 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1895 – Event Monster <= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta
https://notcve.org/view.php?id=CVE-2024-1895
29 Apr 2024 — The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it coul... • https://plugins.trac.wordpress.org/browser/event-monster/tags/1.3.3/shortcode.php • CWE-502: Deserialization of Untrusted Data •