CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2024-37518 – The Events Calendar <= 6.5.1.4 - Cross-Site Request Forgery via action_restore_events
https://notcve.org/view.php?id=CVE-2024-37518
The The Events Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.5.1.4. This is due to missing or incorrect nonce validation on the action_restore_events() function. This makes it possible for unauthenticated attackers to restore events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-1295 – The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
https://notcve.org/view.php?id=CVE-2024-1295
The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.) El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no deberían tener acceso. (por ejemplo, eventos protegidos con contraseña, borradores, etc.) Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access of data due to a insufficient capability checks and restrictions on a function in various versions. • https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4180 – The Events Calendar < 6.4.0.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-4180
The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX. El complemento Events Calendar de WordPres anterior a 6.4.0.1 no sanitiza adecuadamente el contenido enviado por el usuario al representar algunas vistas a través de AJAX. The The Events Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view_data' parameter in all versions up to, and including, 6.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31433 – WordPress The Events Calendar plugin <= 6.3.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31433
Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar.This issue affects The Events Calendar: from n/a through 6.3.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en The Events Calendar. Este problema afecta a The Events Calendar: desde n/a hasta 6.3.0. The The Events Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.0. This is due to missing or incorrect nonce validation on the maybe_dismiss() function. • https://patchstack.com/database/vulnerability/the-events-calendar/wordpress-the-events-calendar-plugin-6-3-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6557 – The Events Calendar <= 6.2.8.2 - Unauthenticated Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-6557
The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts. El complemento The Events Calendar para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 6.2.8.2 incluida, a través de la función de ruta conectada a wp_ajax_nopriv_tribe_dropdown. Esto hace posible que atacantes no autenticados extraigan datos potencialmente confidenciales, incluidos títulos de publicaciones e ID de publicaciones pendientes, privadas y borradores. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3010104%40the-events-calendar%2Ftags%2F6.2.9&old=3010096%40the-events-calendar%2Ftags%2F6.2.9 https://www.wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61?source=cve • CWE-862: Missing Authorization •