Lucene search
Scott Kingsley ClarkWPEX-ID:3CFFBEB0-545A-4002-B02C-0FA38CADA1DBHistoryMay 24, 2024 - 12:00 a.m.
The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
2024-05-2400:00:00
Scott Kingsley Clark
20
events calendar
vulnerability
update
Description The plugin does not prevent users with at least the contributor role from leaking details about events they shouldn’t have access to. (e.g. password-protected events, drafts, etc.)
Free:
1. ADMIN: Install The Events Calendar
2. ADMIN: Create events with each status: published, private, password-protected, draft, and trashed
3. CONTRIBUTOR: Add shortcode to any post and specify/guess the event ID and save
4. CONTRIBUTOR: Preview the post and see event you shouldn't have access to
Example shortcode: `[tribe:event-details id="ANY_EVENT_ID"]`
Pro:
1. ADMIN: Install The Events Calendar
2. ADMIN: Install Events Calendar Pro
3. ADMIN: Create events with each status: published, private, password-protected, draft, and trashed
4. CONTRIBUTOR: Add shortcode to any post and specify/guess the event ID and save
5. CONTRIBUTOR: Preview the post and see event you shouldn't have access to
Example shortcode: `[tribe_event_inline id="ANY_EVENT_ID"]{title} {content}[/tribe_event_inline]`Related
wpvulndb
wpvulndb
nvd
nvd
CVE-2024-1295
2024-06-14 06:15:10
cve
cve
CVE-2024-1295
2024-06-14 06:15:10
cvelist
cvelist
wordfence
wordfence
9.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:3CFFBEB0-545A-4002-B02C-0FA38CADA1DB