Lucene search
Scott Kingsley ClarkWPEX-ID:D80DFE2F-207D-4CDF-8C71-27936C6318E5HistoryFeb 08, 2024 - 12:00 a.m.
Event Tickets and Registration < 5.8.1 - Contributor+ Arbitrary Events Access
2024-02-0800:00:00
Scott Kingsley Clark
28
admin
event tickets
event tickets plus
rsvp
user access
shortcode
user id
exploit.
Description The plugin does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn’t have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
1. ADMIN: Install Event Tickets
2. ADMIN: Install Event Tickets Plus (Event Tickets Plus required for this specific shortcode that exists in the Event Tickets code)
3. ADMIN: Create pages with each status: published, private, password-protected, draft, and trashed and add one RSVP that has an end sale date of 1 week from now
4. ADMIN: Go to those pages and RSVP for each one as the currently logged in admin
5. CONTRIBUTOR: Add shortcode to any post and specify/guess the user ID and save
6. CONTRIBUTOR: Preview the post and see all pages (of any status) you shouldn't have access to and for any user you shouldn't be able to see
Example shortcode: `[tribe-user-event-confirmations user="ANY_USER_ID"]`Related
wpvulndb
wpvulndb
cvelist
cvelist
cve
cve
CVE-2024-1316
2024-03-04 21:15:07
nvd
nvd
CVE-2024-1316
2024-03-04 21:15:07
prion
prion
Code injection
2024-03-04 21:15:00
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.2%
Related for WPEX-ID:D80DFE2F-207D-4CDF-8C71-27936C6318E5