CVE-2024-1123

Name of the Vulnerable Software and Affected Versions The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress versions up to, and including, 3.4.2

Description The issue is related to a missing capability check on the save frontend event submission() function, allowing unauthorized modification of data. This enables authenticated attackers with subscriber-level access and above to overwrite the title and content of arbitrary posts. Additionally, unauthenticated attackers can exploit this when the allow submission by anonymous user setting is enabled.

Recommendations For versions up to, and including, 3.4.2, update to a version that includes a fix for the missing capability check on the save frontend event submission() function. As a temporary workaround, consider disabling the save frontend event submission() function until a patch is available. Restrict access to modify posts to minimize the risk of exploitation. Avoid using the allow submission by anonymous user setting until the issue is resolved.