CVE-2024-11396 Scanner
Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export CVE-2024-11396 Scanner
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days 14 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The Event Monster plugin is a widely-used tool for event management, ticket booking, and upcoming event management in WordPress. It allows users to manage event details and ticket sales. This plugin is employed by WordPress site administrators to facilitate event registration and attendance. Event Monster offers a range of features, including the ability to export event visitor information. The software is generally used by event organizers to track attendee data. However, a vulnerability has been identified in versions up to 1.4.3, making it prone to information leakage.
This vulnerability occurs due to an insecurely exposed CSV file containing sensitive visitor data. The CSV file is created when an event's visitors list is exported. The file is stored in the wp-content directory with a hardcoded filename, making it accessible to anyone who knows the URL. Attackers can download the file and retrieve personal information, such as names, emails, and phone numbers, without authentication. This represents a significant privacy risk to event attendees. The issue exists in all versions up to and including 1.4.3 of the Event Monster plugin.
The vulnerability arises from improper file handling and a lack of authorization control during the export process. When the visitors list is exported, a CSV file is generated in the wp-content folder, which can be accessed publicly. The filename is hardcoded, and no authentication is required to access it. This allows attackers to access personal information about event attendees. The vulnerability is triggered when an attacker sends a GET request to the wp-content/uploads/visitors-list.csv URL. As the file contains sensitive data like first and last names, emails, and phone numbers, its exposure could lead to privacy violations.
If exploited, this vulnerability can lead to significant information exposure. Attackers could extract sensitive personal information of event attendees. This could result in privacy breaches, identity theft, or phishing attacks. The leaked information could be used to target victims with spam, scams, or other malicious activities. In some cases, it could damage the reputation of the event organizers. The exposed data may also lead to legal or compliance issues related to privacy regulations.
References:
- https://github.com/RandomRobbieBF/CVE-2024-11396
- https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2024-11396
- https://github.com/advisories/GHSA-6x4w-fvqp-6jvc
