Event Monster < 1.2.0 - Visitors Deletion via CSRF
Description
The Event Monster WordPress plugin before 1.2.0 lacks a CSRF check when deleting visitors, allowing attackers to trick an admin into deleting arbitrary visitors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Event Monster WordPress plugin before 1.2.0 lacks a CSRF check when deleting visitors, allowing attackers to trick an admin into deleting arbitrary visitors.
Vulnerability
The Event Monster WordPress plugin versions prior to 1.2.0 does not include a Cross-Site Request Forgery (CSRF) check in the functionality for deleting visitors [1]. This means that requests to delete a visitor are not validated against a secret token tied to the user's session, making the action susceptible to CSRF attacks. The vulnerable code path is reached when an administrator with visitor management privileges is logged in and visits a page crafted by an attacker [1].
Exploitation
An attacker can craft a malicious link or webpage that, when visited by a logged-in administrator, triggers a request to delete a specific visitor on the victim's WordPress site [1]. No authentication is needed by the attacker; they only need to lure an authenticated admin to the crafted page (e.g., via email or a compromised site) and the admin's browser will automatically send the forged request, including the admin's session cookies, to the vulnerable endpoint [1].
Impact
A successful CSRF attack allows an attacker to delete arbitrary visitors from the Event Monster system without the admin's knowledge or consent [1]. This can lead to loss of event attendance data and disruption of the event management workflow. The attacker gains no direct code execution or privilege escalation, but the integrity and availability of visitor records are compromised [1].
Mitigation
The vulnerability is fixed in version 1.2.0 of the Event Monster plugin [1]. Users should update to the latest version immediately. There is no known workaround available if unable to update, but the only mitigation is to ensure the admin is not tricked into visiting untrusted pages while logged in. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Event Monsterdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF nonce check on the visitor deletion action allows attackers to forge requests on behalf of an authenticated admin."
Attack vector
An attacker crafts a malicious page or link that, when visited by a logged-in WordPress administrator, silently submits a forged request to the Event Monster plugin's visitor deletion endpoint. Because the plugin lacks a CSRF check [CWE-352] [ref_id=1], the browser automatically includes the admin's session cookies, and the request is processed as if the admin intended it. This enables the attacker to delete arbitrary visitors without the admin's knowledge or consent.
Affected code
The advisory [ref_id=1] does not specify the exact file or function name. The vulnerable code resides in the Event Monster plugin's visitor deletion handler, which prior to version 1.2.0 lacked a CSRF check.
What the fix does
The advisory [ref_id=1] states the fix was released in version 1.2.0 of the Event Monster plugin. No patch diff is provided in the bundle, but the remediation for a CSRF vulnerability is to add a nonce or token check on the visitor deletion action so that the server verifies the request originated from the intended admin interface rather than an external site.
Preconditions
- authA WordPress administrator must be logged in and have an active session.
- networkThe attacker must be able to deliver a crafted HTML page or link to the administrator (e.g., via email, forum post, or another website).
- inputThe attacker must know or be able to guess the visitor ID(s) to target for deletion.
Reproduction
The advisory [ref_id=1] does not include explicit reproduction steps beyond the description. No standalone PoC code is provided in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95dmitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.