CVE-2023-6447
EventPrime < 3.3.6 - Unauthenticated Event Access
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name.
El complemento EventPrime de WordPress anterior a 3.3.6 carece de autenticación y autorización, lo que permite a visitantes no autenticados acceder a eventos privados y protegidos con contraseña adivinando su identificación numérica/nombre del evento.
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to retrieve password protected and private events.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-30 CVE Reserved
- 2023-12-29 CVE Published
- 2024-01-27 EPSS Updated
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/e366881c-d21e-4063-a945-95e6b080a373 | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Metagauss Search vendor "Metagauss" | Eventprime Search vendor "Metagauss" for product "Eventprime" | < 3.3.6 Search vendor "Metagauss" for product "Eventprime" and version " < 3.3.6" | wordpress |
Affected
| ||||||