CVE-2024-32110

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability exists in the WpEvently plugin (mage-eventpress) for WordPress, affecting versions from n/a through 4.1.2. The flaw allows an attacker to trick a logged-in administrator or other privileged user into executing unintended actions without their consent [1].

Exploitation

An attacker must craft a malicious link or form and convince a privileged user (e.g., site administrator) to click it or submit it while they are authenticated to the WordPress admin panel. No additional privileges are required on the attacker's part [1].

Impact

Successful exploitation enables the attacker to force the victim to perform actions under their own session, such as modifying plugin settings, creating or deleting events, or potentially altering site configuration. This leads to unauthorized changes within the scope of the victim user's permissions [1].

Mitigation

The vulnerability is fixed in version 4.1.3 of the plugin. Users should update to this version or later as soon as possible. The vendor has released the update, and Patchstack users can enable auto-updates for vulnerable plugins [1]. No workaround is documented for versions that cannot be updated immediately.