CVE-2024-6883 – Event Espresso 4 Decaf – Event Registration Event Ticketing <= 5.0.22.decaf - Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification
https://notcve.org/view.php?id=CVE-2024-6883
The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings. The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to and including 4.10.46.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings. • https://plugins.trac.wordpress.org/browser/event-espresso-decaf/tags/4.10.46.decaf/admin_pages/events/Events_Admin_Page.core.php#L2800 https://www.wordfence.com/threat-intel/vulnerabilities/id/689abb68-0c19-4f89-91db-fd15ab8bca8e?source=cve • CWE-862: Missing Authorization •
CVE-2023-27437 – WordPress Event Espresso 4 Decaf plugin <= 4.10.44.decaf - Bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-27437
Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf allows Functionality Misuse.This issue affects Event Espresso 4 Decaf: from n/a through 4.10.44.Decaf. Vulnerabilidad de falta de autorización en Event Espresso Event Espresso 4 Decaf permite un uso indebido de la funcionalidad. Este problema afecta a Event Espresso 4 Decaf: desde n/a hasta 4.10.44.Decaf. The Event Espresso 4 Decaf plugin for WordPress is vulnerable to bypass of a plugin feature in versions up to, and including, 4.10.44.decaf. This is due to incorrect validation of the number of tickets ordered per order when making a ticket purchase. • https://patchstack.com/database/vulnerability/event-espresso-decaf/wordpress-event-espresso-4-decaf-plugin-4-10-44-decaf-bypass-vulnerability?_s_id=cve • CWE-354: Improper Validation of Integrity Check Value CWE-862: Missing Authorization •