Description

WordPress Plugin Event Espresso 4 Decaf-Event Registration Event Ticketing is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin Event Espresso 4 Decaf-Event Registration Event Ticketing version 4.10.11.decaf is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.10.12.decaf or latest

References

https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/

https://plugins.trac.wordpress.org/changeset/2554360/

Related Vulnerabilities

WordPress Plugin Homepage SlideShow 'upload.php' Arbitrary File Upload (2.0)

WordPress Plugin YITH WooCommerce PDF Invoice and Shipping List Security Bypass (1.2.12)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-2687)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5629)

WordPress Plugin SMS Alert Order Notifications-WooCommerce Cross-Site Scripting (3.4.6)

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update CSRF