CVE-2024-2110: CSRF
First published: Thu Mar 28 2024(Updated: )
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.7.1. This is due to missing or incorrect nonce validation on several actions. This makes it possible for unauthenticated attackers to modify booking statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pixelite Events Manager | <6.4.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-2110?
CVE-2024-2110 is classified as a moderate severity vulnerability due to its potential for Cross-Site Request Forgery exploits.
How do I fix CVE-2024-2110?
To fix CVE-2024-2110, update the Events Manager plugin to version 6.4.7.2 or later.
What actions are affected by CVE-2024-2110?
CVE-2024-2110 affects several actions in the Events Manager plugin due to missing or incorrect nonce validation.
Who can exploit CVE-2024-2110?
CVE-2024-2110 can be exploited by unauthenticated attackers due to its CSRF vulnerability.
What versions of the Events Manager plugin are vulnerable to CVE-2024-2110?
All versions of the Events Manager plugin up to and including 6.4.7.1 are vulnerable to CVE-2024-2110.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/pixelite
- canonical/pixelite events manager