Primary

Context

Eventer WordPress Plugin Missing Authorization Vulnerability in Bookings Export

Vulnerability

Patched

A vulnerability exists in the Eventer plugin for WordPress, all versions through 3.9.9, allowing unauthorized data access. The issue arises from a missing capability check in the 'eventer_export_bookings_csv' function. This flaw enables authenticated attackers with subscriber-level permissions or higher to download booking data containing personal information of customers.

Impact

Exploitation of this vulnerability allows for unauthorized access to personal data of customers through the export of booking information.

Remediation

Users can update to version 3.9.9.1 or a newer patched version to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eventer WordPress Plugin Missing Authorization Vulnerability in Bookings Export

Vulnerability

Impact

Remediation

Affected Products

Eventer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating