CVE-2023-4251
EventPrime < 3.2.0 - Booking Creation via CSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.
El complemento EventPrime WordPress anterior a 3.2.0 no tiene comprobaciones CSRF al crear reservas, lo que podría permitir a los atacantes hacer que los usuarios registrados creen reservas no deseadas a través de ataques CSRF.
The EventPrime plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 3.2.0. This is due to missing or incorrect nonce validation one of its functions. This makes it possible for unauthenticated attackers to create event bookings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2023-5519 appears to be a duplicate assignment for this issue.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-08-08 CVE Reserved
- 2023-10-09 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-09-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/ce564628-3d15-4bc5-8b8e-60b71786ac19 | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Metagauss Search vendor "Metagauss" | Eventprime Search vendor "Metagauss" for product "Eventprime" | < 3.2.0 Search vendor "Metagauss" for product "Eventprime" and version " < 3.2.0" | wordpress |
Affected
| ||||||