CVE-2024-1321

Name of the Vulnerable Software and Affected Versions The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress versions up to, and including, 3.4.2

Description The issue allows unauthenticated users to update the status of order payments, making it possible for attackers to book events for free. This is due to the plugin permitting unauthenticated access to modify payment statuses.

Recommendations For versions up to, and including, 3.4.2, update to a version later than 3.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the payment status update functionality to authenticated users only.