PT-2026-3571

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start migration', 'cancel migration', and 'revert migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, wit...

User can block migration actions by starting buyout process

Lines of code Vulnerability details Impact All migration actions such as propose, join, leave, and commit require that the pool's buyout state is INACTIVE. At any point, a user can call buyout.Start to start the buyout process which will change the buyout state to LIVE. Proof of Concept...