CVE-2024-8671

Name of the Vulnerable Software and Affected Versions: WooEvents - Calendar and Event Booking plugin for WordPress versions up to, and including, 4.1.2

Description: The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite due to insufficient file path validation in the inc/barcode.php file. This makes it possible for unauthenticated attackers to overwrite arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as wp-config.php.

Recommendations: For versions up to, and including, 4.1.2, update to a version higher than 4.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the inc/barcode.php file until a patch is available. Avoid using the vulnerable file path validation in the inc/barcode.php file until the issue is resolved.