CVE-2024-11396

Name of the Vulnerable Software and Affected Versions Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress versions up to, and including, 1.4.3

Description The issue concerns information exposure through the Visitors List Export file. During export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This allows unauthenticated attackers to extract data about event visitors, including first and last names, email, and phone number.

Recommendations For versions up to, and including, 1.4.3, consider disabling the Visitors List Export feature until a patch is available to prevent unauthenticated access to sensitive visitor information. Restrict access to the wp-content folder to minimize the risk of exploitation. Avoid using the publicly accessible CSV file for sensitive data storage until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.