Volerion logoVolerion
Volerion logoVolerion

Event Monster WordPress Plugin Information Exposure Vulnerability

Vulnerability

A vulnerability allowing information exposure has been identified in the Event Monster WordPress plugin, specifically in versions through 1.4.3. The issue arises during the export of the Visitors List, where a CSV file is generated in the wp-content directory with a hardcoded filename that is publicly accessible. This flaw enables unauthenticated attackers to retrieve personal data of event attendees, including their first and last names, email addresses, and phone numbers.

Impact

Exploitation of this vulnerability could lead to unauthorized access to personal information of event attendees, including names, email addresses, and phone numbers.

Reproduction

To reproduce this vulnerability, export the Visitors List while using an affected version of the Event Monster WordPress plugin. The exported CSV file will be saved in the wp-content folder, accessible to the public. Unauthenticated users can then download this file and extract the personal information of event visitors.

Remediation

Users are advised to update the Event Monster WordPress plugin to version 1.4.4 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
2.5
exploitability
9.3
remediation
7.7
relevance
0.0
threat
5.9
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.