CVE-2024-1295: The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
First published: Fri Jun 14 2024(Updated: )
The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| The Events Calendar | <6.4.0.1 | |
| The Events Calendar | <6.4.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-1295?
CVE-2024-1295 has a high severity due to unauthorized access to sensitive event details.
How do I fix CVE-2024-1295?
To fix CVE-2024-1295, update The Events Calendar and Events Calendar Pro plugins to version 6.4.0.1 or later.
What kind of user roles are affected by CVE-2024-1295?
CVE-2024-1295 affects users with at least the contributor role.
What data is exposed by CVE-2024-1295?
CVE-2024-1295 allows leakage of details about password-protected events and drafts.
Which versions of The Events Calendar are vulnerable to CVE-2024-1295?
The vulnerable versions of The Events Calendar and Events Calendar Pro are those before 6.4.0.1.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/tri
- canonical/the events calendar