Search
Find a vulnerability
Search criteria
6 vulnerabilities found for event_espresso by eventespresso
CVE-2024-6883 (GCVE-0-2024-6883)
Vulnerability from nvd – Published: 2024-08-21 05:30 – Updated: 2026-04-08 16:58
VLAI
Title
Event Espresso 4 Decaf – Event Registration Event Ticketing <= 4.10.46.decaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification
Summary
The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to and including 4.10.46.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eventespresso | Event Espresso – Event Registration & Ticketing Sales |
Affected:
0 , ≤ 4.10.46.decaf
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:16:54.366211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T13:17:20.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Espresso \u2013 Event Registration \u0026 Ticketing Sales",
"vendor": "eventespresso",
"versions": [
{
"lessThanOrEqual": "4.10.46.decaf",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Espresso 4 Decaf \u2013 Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to and including 4.10.46.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:28.731Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/689abb68-0c19-4f89-91db-fd15ab8bca8e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-espresso-decaf/tags/4.10.46.decaf/admin_pages/events/Events_Admin_Page.core.php#L2800"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-07T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-08-20T17:26:46.000Z",
"value": "Disclosed"
}
],
"title": "Event Espresso 4 Decaf \u2013 Event Registration Event Ticketing \u003c= 4.10.46.decaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6883",
"datePublished": "2024-08-21T05:30:21.157Z",
"dateReserved": "2024-07-18T13:36:14.354Z",
"dateUpdated": "2026-04-08T16:58:28.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-26153 (GCVE-0-2020-26153)
Vulnerability from nvd – Published: 2021-07-13 10:44 – Updated: 2024-08-04 15:49
VLAI
Summary
A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/eventespresso/event-espresso-c… | x_refsource_MISC |
| https://labs.nettitude.com/blog/cve-2020-26153-ev… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:07.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-13T10:44:57.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26153",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p",
"refsource": "MISC",
"url": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"
},
{
"name": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26153",
"datePublished": "2021-07-13T10:44:57.000Z",
"dateReserved": "2020-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:49:07.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1002026 (GCVE-0-2017-1002026)
Vulnerability from nvd – Published: 2017-09-14 13:00 – Updated: 2024-09-16 22:45
VLAI
Summary
Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/event-espresso-free/ | x_refsource_MISC |
| http://www.vapidlabs.com/advisory.php?v=197 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Event Espresso | Event Expresso Free |
Affected:
unspecified , < 3.1.37.11.L
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:00:41.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/event-espresso-free/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.vapidlabs.com/advisory.php?v=197"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Event Expresso Free",
"vendor": "Event Espresso",
"versions": [
{
"lessThan": "3.1.37.11.L",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2017-07-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T13:00:00.000Z",
"orgId": "461b2335-328f-427d-ae3d-eff7d6814455",
"shortName": "larry_cashdollar"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/event-espresso-free/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.vapidlabs.com/advisory.php?v=197"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "larry0@me.com",
"DATE_ASSIGNED": "2017-07-04",
"ID": "CVE-2017-1002026",
"REQUESTER": "kurt@seifried.org",
"STATE": "PUBLIC",
"UPDATED": "2017-08-10T14:41Z"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Event Expresso Free",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.1.37.11.L"
}
]
}
}
]
},
"vendor_name": "Event Espresso"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/event-espresso-free/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/event-espresso-free/"
},
{
"name": "http://www.vapidlabs.com/advisory.php?v=197",
"refsource": "MISC",
"url": "http://www.vapidlabs.com/advisory.php?v=197"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "461b2335-328f-427d-ae3d-eff7d6814455",
"assignerShortName": "larry_cashdollar",
"cveId": "CVE-2017-1002026",
"datePublished": "2017-09-14T13:00:00.000Z",
"dateReserved": "2017-09-14T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:45:10.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6883 (GCVE-0-2024-6883)
Vulnerability from cvelistv5 – Published: 2024-08-21 05:30 – Updated: 2026-04-08 16:58
VLAI
Title
Event Espresso 4 Decaf – Event Registration Event Ticketing <= 4.10.46.decaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification
Summary
The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to and including 4.10.46.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eventespresso | Event Espresso – Event Registration & Ticketing Sales |
Affected:
0 , ≤ 4.10.46.decaf
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:16:54.366211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T13:17:20.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Espresso \u2013 Event Registration \u0026 Ticketing Sales",
"vendor": "eventespresso",
"versions": [
{
"lessThanOrEqual": "4.10.46.decaf",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Espresso 4 Decaf \u2013 Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to and including 4.10.46.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:28.731Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/689abb68-0c19-4f89-91db-fd15ab8bca8e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-espresso-decaf/tags/4.10.46.decaf/admin_pages/events/Events_Admin_Page.core.php#L2800"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-07T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-08-20T17:26:46.000Z",
"value": "Disclosed"
}
],
"title": "Event Espresso 4 Decaf \u2013 Event Registration Event Ticketing \u003c= 4.10.46.decaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6883",
"datePublished": "2024-08-21T05:30:21.157Z",
"dateReserved": "2024-07-18T13:36:14.354Z",
"dateUpdated": "2026-04-08T16:58:28.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-26153 (GCVE-0-2020-26153)
Vulnerability from cvelistv5 – Published: 2021-07-13 10:44 – Updated: 2024-08-04 15:49
VLAI
Summary
A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/eventespresso/event-espresso-c… | x_refsource_MISC |
| https://labs.nettitude.com/blog/cve-2020-26153-ev… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:07.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-13T10:44:57.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26153",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p",
"refsource": "MISC",
"url": "https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"
},
{
"name": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26153",
"datePublished": "2021-07-13T10:44:57.000Z",
"dateReserved": "2020-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:49:07.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1002026 (GCVE-0-2017-1002026)
Vulnerability from cvelistv5 – Published: 2017-09-14 13:00 – Updated: 2024-09-16 22:45
VLAI
Summary
Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/event-espresso-free/ | x_refsource_MISC |
| http://www.vapidlabs.com/advisory.php?v=197 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Event Espresso | Event Expresso Free |
Affected:
unspecified , < 3.1.37.11.L
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:00:41.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/event-espresso-free/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.vapidlabs.com/advisory.php?v=197"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Event Expresso Free",
"vendor": "Event Espresso",
"versions": [
{
"lessThan": "3.1.37.11.L",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2017-07-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T13:00:00.000Z",
"orgId": "461b2335-328f-427d-ae3d-eff7d6814455",
"shortName": "larry_cashdollar"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/event-espresso-free/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.vapidlabs.com/advisory.php?v=197"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "larry0@me.com",
"DATE_ASSIGNED": "2017-07-04",
"ID": "CVE-2017-1002026",
"REQUESTER": "kurt@seifried.org",
"STATE": "PUBLIC",
"UPDATED": "2017-08-10T14:41Z"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Event Expresso Free",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.1.37.11.L"
}
]
}
}
]
},
"vendor_name": "Event Espresso"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/event-espresso-free/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/event-espresso-free/"
},
{
"name": "http://www.vapidlabs.com/advisory.php?v=197",
"refsource": "MISC",
"url": "http://www.vapidlabs.com/advisory.php?v=197"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "461b2335-328f-427d-ae3d-eff7d6814455",
"assignerShortName": "larry_cashdollar",
"cveId": "CVE-2017-1002026",
"datePublished": "2017-09-14T13:00:00.000Z",
"dateReserved": "2017-09-14T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:45:10.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}