CVE-2024-11396
Published: 14 January 2025
Summary
CVE-2024-11396 is a medium-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Awplife Event Monster. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).
Deeper analysis
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to information exposure in all versions through 1.4.3. The flaw resides in the Visitors List Export feature, which writes a CSV file containing attendee details to a hardcoded, publicly reachable path under wp-content during export processing.
Unauthenticated remote attackers can simply request the predictable CSV filename to obtain first and last names, email addresses, and phone numbers of event visitors. The issue requires no credentials, user interaction, or special network conditions, corresponding to the observed CVSS 5.3 rating.
References from Wordfence and the plugin source repository confirm the exposure path but do not detail specific patch contents or mitigation steps beyond upgrading past version 1.4.3. The EPSS score currently sits at 0.6027 with a peak of 0.6048; no material rise from a low baseline is indicated in the supplied data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34166
Vulnerability details
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created…
more
in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated access to exposed sensitive data file via public-facing WordPress plugin vulnerability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-22 directly restricts access to publicly accessible content like the hardcoded CSV file in wp-content, preventing unauthenticated extraction of sensitive visitor data.
SC-14 enforces approved authorizations and protections for publicly accessible information, mitigating unauthorized access to the sensitive CSV file via public service interfaces.
SI-2 identifies, reports, and corrects flaws such as the vulnerable Visitors List Export feature in the plugin, remediating the information exposure before exploitation.