CVE-2024-13216

Name of the Vulnerable Software and Affected Versions The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress versions up to, and including, 1.4.7

Description The issue allows authenticated attackers with Contributor-level access and above to extract sensitive private, pending, scheduled, and draft template data via the render function in /includes/widgets/htevent sponsor.php. This makes it possible for attackers to access sensitive information.

Recommendations For versions up to, and including, 1.4.7, consider disabling the render function in /includes/widgets/htevent sponsor.php until a patch is available to prevent exploitation. Restrict access to the /includes/widgets/htevent sponsor.php file to minimize the risk of sensitive information exposure. Avoid using the render function for sensitive template data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.