CVE-2024-4665

The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/50b78cac-cad1-4526-9655-ae0440739796/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*

History

04 Jun 2025, 20:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:metagauss:eventprime::::::wordpress::*
First Time		Metagauss Metagauss eventprime
References	~~() https://wpscan.com/vulnerability/50b78cac-cad1-4526-9655-ae0440739796/ -~~	() https://wpscan.com/vulnerability/50b78cac-cad1-4526-9655-ae0440739796/ - Exploit, Third Party Advisory
CWE		NVD-CWE-noinfo

16 May 2025, 16:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

16 May 2025, 14:42

Type	Values Removed	Values Added
Summary		(es) El complemento EventPrime de WordPress anterior a la versión 3.5.0 no valida correctamente los permisos al actualizar reservas, lo que permite a los usuarios modificar o cancelar reservas de otros usuarios. Además, esta función carece de un nonce.

15 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-15 20:15

Updated : 2025-06-04 20:10

NVD link : CVE-2024-4665

Mitre link : CVE-2024-4665

CVE.ORG link : CVE-2024-4665

JSON object : View

Products Affected

metagauss

eventprime

CWE

NVD-CWE-noinfo

5.3 /10