Event monster <= 1.4.3 - Information Exposure Via Visitors List Export
Description
Unauthenticated information exposure via hardcoded CSV filename in Event Monster plugin up to 1.4.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated information exposure via hardcoded CSV filename in Event Monster plugin up to 1.4.3.
Vulnerability
The Event Monster plugin for WordPress, versions up to and including 1.4.3, creates a CSV file with a hardcoded filename em-visitors-data.csv in the wp-content folder during the export of visitors list [2]. This file is publicly accessible without any authentication, exposing visitor data.
Exploitation
An unauthenticated attacker can simply navigate to wp-content/em-visitors-data.csv to download the file [2]. The filename is hardcoded and does not include random or time-based components, making it predictable. No user interaction or special privileges are required.
Impact
Successful exploitation leads to the exposure of personal information of event visitors, including first names, last names, email addresses, and phone numbers [1]. This constitutes a confidentiality breach of sensitive data.
Mitigation
The vulnerability is patched in version 2.0.1 of the plugin [1]. Users should update to version 2.0.1 or later immediately. If updating is not possible, consider implementing server-level access controls to restrict access to the export file.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=1.4.3
- awordpresslife/Event Monster – Manager & Ticket Bookingv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.