Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for event_monster by awplife
CVE-2024-11396 (GCVE-0-2024-11396)
Vulnerability from nvd – Published: 2025-01-13 23:21 – Updated: 2026-04-08 16:35
VLAI?
Title
Event monster <= 1.4.3 - Information Exposure Via Visitors List Export
Summary
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
Severity ?
5.3 (Medium)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| awordpresslife | Event Monster – Manager & Ticket Booking |
Affected:
0 , ≤ 1.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T00:16:23.804437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:16:38.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Monster \u2013 Manager \u0026 Ticket Booking",
"vendor": "awordpresslife",
"versions": [
{
"lessThanOrEqual": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mike harris"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:41.009Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-30T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-01-13T11:10:18.000Z",
"value": "Disclosed"
}
],
"title": "Event monster \u003c= 1.4.3 - Information Exposure Via Visitors List Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11396",
"datePublished": "2025-01-13T23:21:40.170Z",
"dateReserved": "2024-11-18T23:57:28.793Z",
"dateUpdated": "2026-04-08T16:35:41.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5059 (GCVE-0-2024-5059)
Vulnerability from nvd – Published: 2024-06-21 13:03 – Updated: 2024-08-01 21:03
VLAI?
Title
WordPress Event Monster Plugin <= 1.4.0 - Sensitive Data Exposure vulnerability
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| A WP Life | Event Management Tickets Booking |
Affected:
n/a , ≤ 1.4.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:awplife:event_monster:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "event_monster",
"vendor": "awplife",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T14:10:15.707351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T14:10:47.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-4-0-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "event-monster",
"product": "Event Management Tickets Booking",
"vendor": "A WP Life",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.\u003cp\u003eThis issue affects Event Management Tickets Booking: from n/a through 1.4.0.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T13:03:31.137Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-4-0-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Event Monster Plugin \u003c= 1.4.0 - Sensitive Data Exposure vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-5059",
"datePublished": "2024-06-21T13:03:31.137Z",
"dateReserved": "2024-05-17T10:11:36.717Z",
"dateUpdated": "2024-08-01T21:03:10.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1895 (GCVE-0-2024-1895)
Vulnerability from nvd – Published: 2024-04-30 08:32 – Updated: 2026-04-08 16:48
VLAI?
Title
Event Monster <= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta
Summary
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Severity ?
7.5 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| awordpresslife | Event Monster – Manager & Ticket Booking |
Affected:
0 , ≤ 1.3.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41d7b3f1-a133-4678-b2d9-3f9951cbc005?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.3.3/shortcode.php"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:awplife:event_monster:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "event_monster",
"vendor": "awplife",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:14:57.339478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:16:01.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Monster \u2013 Manager \u0026 Ticket Booking",
"vendor": "awordpresslife",
"versions": [
{
"lessThanOrEqual": "1.3.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:48.253Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41d7b3f1-a133-4678-b2d9-3f9951cbc005?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.3.3/shortcode.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3102670"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Event Monster \u003c= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1895",
"datePublished": "2024-04-30T08:32:22.449Z",
"dateReserved": "2024-02-26T17:09:33.045Z",
"dateUpdated": "2026-04-08T16:48:48.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47525 (GCVE-0-2023-47525)
Vulnerability from nvd – Published: 2023-12-21 14:25 – Updated: 2026-04-23 13:50
VLAI?
Title
WordPress Event Monster plugin <= 1.4.9 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Event Management Tickets Booking event-monster allows DOM-Based XSS.This issue affects Event Management Tickets Booking: from n/a through <= 1.4.9.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| A WP Life | Event Management Tickets Booking |
Affected:
0 , ≤ 1.4.9
(custom)
|
Date Public ?
2026-04-22 14:43
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T20:04:20.643990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T20:19:20.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "event-monster",
"product": "Event Management Tickets Booking",
"vendor": "A WP Life",
"versions": [
{
"changes": [
{
"at": "2.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeongwoo-Lee(Roronoa) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:43:43.490Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in A WP Life Event Management Tickets Booking event-monster allows DOM-Based XSS.\u003cp\u003eThis issue affects Event Management Tickets Booking: from n/a through \u003c= 1.4.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in A WP Life Event Management Tickets Booking event-monster allows DOM-Based XSS.This issue affects Event Management Tickets Booking: from n/a through \u003c= 1.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:50:37.540Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/event-monster/vulnerability/wordpress-event-monster-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Event Monster plugin \u003c= 1.4.9 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-47525",
"datePublished": "2023-12-21T14:25:39.759Z",
"dateReserved": "2023-11-06T09:31:05.423Z",
"dateUpdated": "2026-04-23T13:50:37.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3720 (GCVE-0-2022-3720)
Vulnerability from nvd – Published: 2022-11-21 00:00 – Updated: 2025-04-30 15:32
VLAI?
Title
Event Monster < 1.2.1 - Admin+ SQLi
Summary
The Event Monster WordPress plugin before 1.2.0 does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Event Monster |
Affected:
0 , < 1.2.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:57.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0139a23c-4896-4aef-ab56-dcf7f07f01e5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3720",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:31:24.241872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:32:41.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Event Monster",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thura Moe Myint"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster WordPress plugin before 1.2.0 does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T13:35:05.303Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/0139a23c-4896-4aef-ab56-dcf7f07f01e5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Event Monster \u003c 1.2.1 - Admin+ SQLi",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3720",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-27T00:00:00.000Z",
"dateUpdated": "2025-04-30T15:32:41.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3336 (GCVE-0-2022-3336)
Vulnerability from nvd – Published: 2022-11-21 00:00 – Updated: 2025-04-30 13:24
VLAI?
Title
Event Monster < 1.2.0 - Visitors Deletion via CSRF
Summary
The Event Monster WordPress plugin before 1.2.0 does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack
Severity ?
4.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Event Monster |
Affected:
0 , < 1.2.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3336",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:24:04.669977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:24:20.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Event Monster",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thura Moe Myint"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster WordPress plugin before 1.2.0 does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T13:35:07.863Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Event Monster \u003c 1.2.0 - Visitors Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3336",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-04-30T13:24:20.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11396 (GCVE-0-2024-11396)
Vulnerability from cvelistv5 – Published: 2025-01-13 23:21 – Updated: 2026-04-08 16:35
VLAI?
Title
Event monster <= 1.4.3 - Information Exposure Via Visitors List Export
Summary
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
Severity ?
5.3 (Medium)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| awordpresslife | Event Monster – Manager & Ticket Booking |
Affected:
0 , ≤ 1.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T00:16:23.804437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:16:38.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Monster \u2013 Manager \u0026 Ticket Booking",
"vendor": "awordpresslife",
"versions": [
{
"lessThanOrEqual": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mike harris"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:41.009Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-30T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-01-13T11:10:18.000Z",
"value": "Disclosed"
}
],
"title": "Event monster \u003c= 1.4.3 - Information Exposure Via Visitors List Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11396",
"datePublished": "2025-01-13T23:21:40.170Z",
"dateReserved": "2024-11-18T23:57:28.793Z",
"dateUpdated": "2026-04-08T16:35:41.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5059 (GCVE-0-2024-5059)
Vulnerability from cvelistv5 – Published: 2024-06-21 13:03 – Updated: 2024-08-01 21:03
VLAI?
Title
WordPress Event Monster Plugin <= 1.4.0 - Sensitive Data Exposure vulnerability
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| A WP Life | Event Management Tickets Booking |
Affected:
n/a , ≤ 1.4.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:awplife:event_monster:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "event_monster",
"vendor": "awplife",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T14:10:15.707351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T14:10:47.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-4-0-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "event-monster",
"product": "Event Management Tickets Booking",
"vendor": "A WP Life",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.\u003cp\u003eThis issue affects Event Management Tickets Booking: from n/a through 1.4.0.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T13:03:31.137Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-4-0-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Event Monster Plugin \u003c= 1.4.0 - Sensitive Data Exposure vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-5059",
"datePublished": "2024-06-21T13:03:31.137Z",
"dateReserved": "2024-05-17T10:11:36.717Z",
"dateUpdated": "2024-08-01T21:03:10.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1895 (GCVE-0-2024-1895)
Vulnerability from cvelistv5 – Published: 2024-04-30 08:32 – Updated: 2026-04-08 16:48
VLAI?
Title
Event Monster <= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta
Summary
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Severity ?
7.5 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| awordpresslife | Event Monster – Manager & Ticket Booking |
Affected:
0 , ≤ 1.3.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41d7b3f1-a133-4678-b2d9-3f9951cbc005?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.3.3/shortcode.php"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:awplife:event_monster:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "event_monster",
"vendor": "awplife",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:14:57.339478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:16:01.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Monster \u2013 Manager \u0026 Ticket Booking",
"vendor": "awordpresslife",
"versions": [
{
"lessThanOrEqual": "1.3.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:48.253Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41d7b3f1-a133-4678-b2d9-3f9951cbc005?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.3.3/shortcode.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3102670"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Event Monster \u003c= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1895",
"datePublished": "2024-04-30T08:32:22.449Z",
"dateReserved": "2024-02-26T17:09:33.045Z",
"dateUpdated": "2026-04-08T16:48:48.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47525 (GCVE-0-2023-47525)
Vulnerability from cvelistv5 – Published: 2023-12-21 14:25 – Updated: 2026-04-23 13:50
VLAI?
Title
WordPress Event Monster plugin <= 1.4.9 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Event Management Tickets Booking event-monster allows DOM-Based XSS.This issue affects Event Management Tickets Booking: from n/a through <= 1.4.9.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| A WP Life | Event Management Tickets Booking |
Affected:
0 , ≤ 1.4.9
(custom)
|
Date Public ?
2026-04-22 14:43
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T20:04:20.643990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T20:19:20.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "event-monster",
"product": "Event Management Tickets Booking",
"vendor": "A WP Life",
"versions": [
{
"changes": [
{
"at": "2.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeongwoo-Lee(Roronoa) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:43:43.490Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in A WP Life Event Management Tickets Booking event-monster allows DOM-Based XSS.\u003cp\u003eThis issue affects Event Management Tickets Booking: from n/a through \u003c= 1.4.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in A WP Life Event Management Tickets Booking event-monster allows DOM-Based XSS.This issue affects Event Management Tickets Booking: from n/a through \u003c= 1.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:50:37.540Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/event-monster/vulnerability/wordpress-event-monster-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Event Monster plugin \u003c= 1.4.9 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-47525",
"datePublished": "2023-12-21T14:25:39.759Z",
"dateReserved": "2023-11-06T09:31:05.423Z",
"dateUpdated": "2026-04-23T13:50:37.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3336 (GCVE-0-2022-3336)
Vulnerability from cvelistv5 – Published: 2022-11-21 00:00 – Updated: 2025-04-30 13:24
VLAI?
Title
Event Monster < 1.2.0 - Visitors Deletion via CSRF
Summary
The Event Monster WordPress plugin before 1.2.0 does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack
Severity ?
4.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Event Monster |
Affected:
0 , < 1.2.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3336",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:24:04.669977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:24:20.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Event Monster",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thura Moe Myint"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster WordPress plugin before 1.2.0 does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T13:35:07.863Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Event Monster \u003c 1.2.0 - Visitors Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3336",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-04-30T13:24:20.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3720 (GCVE-0-2022-3720)
Vulnerability from cvelistv5 – Published: 2022-11-21 00:00 – Updated: 2025-04-30 15:32
VLAI?
Title
Event Monster < 1.2.1 - Admin+ SQLi
Summary
The Event Monster WordPress plugin before 1.2.0 does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Event Monster |
Affected:
0 , < 1.2.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:57.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0139a23c-4896-4aef-ab56-dcf7f07f01e5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3720",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:31:24.241872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:32:41.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Event Monster",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thura Moe Myint"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster WordPress plugin before 1.2.0 does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T13:35:05.303Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/0139a23c-4896-4aef-ab56-dcf7f07f01e5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Event Monster \u003c 1.2.1 - Admin+ SQLi",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3720",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-27T00:00:00.000Z",
"dateUpdated": "2025-04-30T15:32:41.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}