Events Manager Vulnerability – Calendar, Bookings, Tickets, and more! – Multiple Vulnerabilities – CVE-2024-2111 & CVE-2024-2110 |WordPress Plugin Vulnerability Report
Plugin Name: Events Manager – Calendar, Bookings, Tickets, and more!
Key Information:
- Software Type: Plugin
- Software Slug: events-manager
- Software Status: Active
- Software Author: netweblogic
- Software Downloads: 4,637,218
- Active Installs: 90,000
- Last Updated: March 27, 2024
- Patched Versions: 6.4.7.2
- Affected Versions: <= 6.4.7.1
Vulnerability 1 Details:
- Name: Events Manager <= 6.4.7.1
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2111
- CVSS Score: 6.4
- Publicly Published: March 27, 2024
- Researcher: Tim Coen
- Description: The plugin is vulnerable to Stored XSS via the physical location value due to insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts.
Vulnerability 2 Details:
- Name: Events Manager <= 6.4.7.1
- Title: Cross-Site Request Forgery (CSRF)
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CVE: CVE-2024-2110
- CVSS Score: 4.3
- Publicly Published: March 27, 2024
- Researcher: Tim Coen
- Description: The plugin is vulnerable to CSRF due to missing or incorrect nonce validation, allowing unauthenticated attackers to modify booking statuses via a forged request if a site administrator is tricked into clicking a link.
Summary:
The Events Manager plugin for WordPress, essential for managing calendars, bookings, and tickets, has been identified with two significant vulnerabilities in versions up to and including 6.4.7.1. These issues, which include Stored Cross-Site Scripting and Cross-Site Request Forgery, have been comprehensively addressed in the patched version 6.4.7.2.
Detailed Overview:
Tim Coen's discovery of these vulnerabilities sheds light on critical security risks within the Events Manager plugin. The Stored XSS vulnerability could compromise site integrity and user data by allowing malicious scripts to be injected and executed. Similarly, the CSRF vulnerability could lead to unauthorized changes to booking statuses, undermining the plugin's reliability. The prompt release of version 6.4.7.2 by the developers mitigates these risks, reinforcing the importance of maintaining up-to-date software.
Advice for Users:
- Immediate Action: Update the Events Manager plugin to the patched version 6.4.7.2 immediately to protect your site from these vulnerabilities.
- Check for Signs of Vulnerability: Monitor your site for any unusual activity or unauthorized changes, particularly in bookings and event locations.
- Alternate Plugins: While the current issues have been patched, consider exploring other event management plugins if you frequently encounter security concerns.
- Stay Updated: Regularly update all WordPress plugins, themes, and the core to safeguard against known vulnerabilities.
Conclusion:
The resolution of vulnerabilities in the Events Manager plugin underscores the critical nature of proactive security measures in the WordPress ecosystem. Users are encouraged to update to version 6.4.7.2 or later, ensuring the continued security and functionality of their WordPress installations. These incidents serve as a reminder of the ongoing need for vigilance and timely updates in the digital landscape.
References:
- Wordfence Vulnerability Report for Events Manager - XSS
- Wordfence Vulnerability Report for Events Manager - CSRF