CVE-2024-11396

{"id": "CVE-2024-11396", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-01-14T01:15:09.110", "references": [{"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-359"}]}], "descriptions": [{"lang": "en", "value": "The Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number."}, {"lang": "es", "value": " El complemento Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n en todas las versiones hasta la 1.4.3 inclusive a trav\u00e9s del archivo Visitors List Export. Durante la exportaci\u00f3n, se crea un archivo CSV en la carpeta wp-content con un nombre de archivo codificado de forma r\u00edgida que es de acceso p\u00fablico. Esto permite que atacantes no autenticados extraigan datos sobre los visitantes del evento, que incluyen nombre y apellido, correo electr\u00f3nico y n\u00famero de tel\u00e9fono."}], "lastModified": "2025-06-05T15:21:26.763", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:awplife:event_monster:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "9660EE7F-FE5B-4BE4-993C-1E957FD1525B", "versionEndExcluding": "1.4.4"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}