CVE-2024-11396

Medium

Published: 14 January 2025

Published

14 January 2025

Modified

05 June 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.5417 98.0th percentile

Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11396 is a medium-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Awplife Event Monster. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match

prevent

AC-22 directly restricts access to publicly accessible content like the hardcoded CSV file in wp-content, preventing unauthenticated extraction of sensitive visitor data.

SC-14 Public Access Protections good match

prevent

SC-14 enforces approved authorizations and protections for publicly accessible information, mitigating unauthorized access to the sensitive CSV file via public service interfaces.

SI-2 Flaw Remediation good match

prevent

SI-2 identifies, reports, and corrects flaws such as the vulnerable Visitors List Export feature in the plugin, remediating the information exposure before exploitation.

NVD Description

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created…

in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.

Deeper analysisAI

CVE-2024-11396, published on 2025-01-14, is an information exposure vulnerability (CWE-359) in the Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress, affecting all versions up to and including 1.4.3. The flaw occurs in the Visitors List Export feature, where a CSV file is generated in the publicly accessible wp-content folder using a hardcoded filename, enabling unauthorized access to sensitive visitor data.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). By requesting the predictable CSV file URL, they can extract event visitor details, including first names, last names, email addresses, and phone numbers.

Advisories provide further technical details for mitigation; the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve outlines the issue, while the plugin source code at https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92 identifies the vulnerable export logic at line 92. Security practitioners should check for plugin updates beyond 1.4.3 and review server configurations to restrict wp-content access.

Details

CWE(s): CWE-359

Affected Products

awplife

event monster

≤ 1.4.4

CVEs Like This One

CVE-2025-20060Shared CWE-359

CVE-2026-24735Shared CWE-359

CVE-2026-6765Shared CWE-359

CVE-2020-37173Shared CWE-359

CVE-2026-34226Shared CWE-359

CVE-2024-11216Shared CWE-359

References

https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve
Third Party Advisory · security@wordfence.com