Event Tickets and Registration Vulnerability – Missing Authorization – CVE-2024-1053 | WordPress Plugin Vulnerability Report
Plugin Name: Event Tickets and Registration
Key Information:
- Software Type: Plugin
- Software Slug: event-tickets
- Software Status: Active
- Software Author: theeventscalendar
- Software Downloads: 3,388,630
- Active Installs: 80,000
- Last Updated: February 21, 2024
- Patched Versions: 5.8.2
- Affected Versions: <= 5.8.1
Vulnerability Details:
- Name: Event Tickets and Registration <= 5.8.1 - Missing Authorization
- Title: Missing Authorization
- Type: Improper Access Control
- CVE: CVE-2024-1053
- CVSS Score: 4.3 (Medium)
- Publicly Published: February 21, 2024
- Researcher: Muhammad Daffa
- Description: The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.
Summary:
The Event Tickets and Registration plugin for WordPress has a vulnerability in versions up to and including 5.8.1 that allows authenticated users with contributor-level access or higher to improperly access attendee data. This vulnerability has been patched in version 5.8.2.
Detailed Overview:
The Event Tickets and Registration plugin failed to check user capabilities on the 'email' action, allowing authenticated users with contributor access or higher to email the attendee list to themselves without authorization. This exposes private attendee information like names and email addresses. The vulnerability received a CVSS score of 4.3 (Medium) and was publicly disclosed by the researcher Muhammad Daffa on February 21, 2024. Users are advised to update to version 5.8.2, which properly restricts access to this data based on user roles.
Advice for Users:
- Immediate Action: Update to version 5.8.2 or higher immediately.
- Check for Signs of Compromise: Review user roles and activity logs to look for unauthorized access.
- Consider Alternatives: While an update is recommended, you could also switch to alternative event management plugins as a precaution.
- Stay Updated: Enable automatic updates on all plugins to get security fixes right away.
Conclusion:
The developer addressed this vulnerability quickly by restricting access in the latest release. Users should install version 5.8.2 immediately to prevent unauthorized exposure of attendee data. As always, enabling automatic updates is the best way to stay secure.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/event-tickets
Detailed Report:
Keeping your WordPress website secure should be a top priority – after all, you don't want your site compromised or your users' data exposed. Unfortunately, vulnerabilities in themes, plugins, and WordPress core are discovered frequently, leaving outdated websites at risk of attack.
Case in point: a recently disclosed vulnerability called "Missing Authorization" in the popular Event Tickets and Registration plugin. This plugin is active on over 80,000 WordPress sites, allowing event organizers to easily manage ticketing and registrations.
The Missing Authorization Vulnerability
Versions up to and including 5.8.1 contain a vulnerability that allows authenticated users with contributor access or higher to improperly access sensitive attendee data. Specifically, they can email full attendee lists to themselves without authorization. This exposes private information like names and emails.
The vulnerability received a CVSS score of 4.3 (Medium severity) and was publicly disclosed on February 21, 2024 by the researcher Muhammad Daffa.
Impacts of the Vulnerability
If exploited, this vulnerability could lead to attendee or customer data being obtained by unauthorized parties. For event companies, this may represent a breach of trust and legal liability.
How to Remediate
The good news is the developer released Event Tickets and Registration version 5.8.2 on February 21st to address this vulnerability by restricting access to attendee data. Users should update immediately to close this security hole.
Previous Vulnerabilities
This is the 5th vulnerability found in Event Tickets and Registration since September 2019 that allowed improper data access, indicating systemic issues. This underscores the importance of prompt patching and upgrades.
Staying Secure
As a small business owner, you likely don’t have time to monitor and address vulnerabilities yourself. The easiest approach is enabling automatic background updates everywhere possible so patches occur seamlessly. For plugins, enable auto-updates one-by-one or use a manager plugin. You can also work with a managed service provider to handle updates and security monitoring.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.