CVERadar

CVE-2024-11396

High Severity

SVRS

52/100

CVSSv3

5.3/10

EPSS

0.30693/1

CVE-2024-11396: Unauthenticated information exposure vulnerability in the Event Monster WordPress plugin. This flaw allows attackers to download a publicly accessible CSV file containing sensitive user data, including names, emails, and phone numbers.

CVE-2024-11396 affects versions up to 1.4.3 of the Event Monster – Event Management, Tickets Booking, Upcoming Event plugin. The plugin creates an export file with a predictable name in a publicly accessible directory. While the CVSS score is 5.3, indicating a medium severity, the SVRS score is 52. This score, while not critical, indicates that this vulnerability warrants attention, especially given the sensitive nature of the exposed personal data. Successful exploitation allows unauthenticated attackers to harvest user data, potentially leading to phishing attacks, spam campaigns, or identity theft. Organizations using this plugin should update to a patched version immediately to mitigate this risk and protect user privacy. The issue stems from CWE-359 (Insufficiently Protected Resource).

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-11396 | Event Monster Plugin up to 1.4.3 on WordPress Visitors List Export information disclosure

vuldb.com2025-01-14

CVE-2024-11396 | Event Monster Plugin up to 1.4.3 on WordPress Visitors List Export information disclosure | A vulnerability was found in Event Monster Plugin up to 1.4.3 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Visitors List Export. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2024-11396. The

vuldb.com

rss

forum

news

Social Media

CVE

@CVEnew

2025-01-13

CVE-2024-11396 The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including,… https://t.co/IUbGbwfWOO

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92
[email protected]	https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve

CWE Details

CWE ID	CWE Name	Description
CWE-359	Exposure of Private Personal Information to an Unauthorized Actor	The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence