Cyber Resilience

CVE-2024-11396

Medium

Published: 14 January 2025

Published
14 January 2025
Modified
05 June 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.6027 98.3th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11396 is a medium-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Awplife Event Monster. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).

Deeper analysis

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to information exposure in all versions through 1.4.3. The flaw resides in the Visitors List Export feature, which writes a CSV file containing attendee details to a hardcoded, publicly reachable path under wp-content during export processing.

Unauthenticated remote attackers can simply request the predictable CSV filename to obtain first and last names, email addresses, and phone numbers of event visitors. The issue requires no credentials, user interaction, or special network conditions, corresponding to the observed CVSS 5.3 rating.

References from Wordfence and the plugin source repository confirm the exposure path but do not detail specific patch contents or mitigation steps beyond upgrading past version 1.4.3. The EPSS score currently sits at 0.6027 with a peak of 0.6048; no material rise from a low baseline is indicated in the supplied data.

EU & UK References

Vulnerability details

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created…

more

in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated access to exposed sensitive data file via public-facing WordPress plugin vulnerability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24735Shared CWE-359
CVE-2025-20060Shared CWE-359
CVE-2020-37173Shared CWE-359
CVE-2026-28906Shared CWE-359
CVE-2026-6765Shared CWE-359
CVE-2026-34226Shared CWE-359
CVE-2025-13477Shared CWE-359
CVE-2024-11216Shared CWE-359

Affected Assets

awplife
event monster
≤ 1.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-22 directly restricts access to publicly accessible content like the hardcoded CSV file in wp-content, preventing unauthenticated extraction of sensitive visitor data.

prevent

SC-14 enforces approved authorizations and protections for publicly accessible information, mitigating unauthorized access to the sensitive CSV file via public service interfaces.

prevent

SI-2 identifies, reports, and corrects flaws such as the vulnerable Visitors List Export feature in the plugin, remediating the information exposure before exploitation.

References