CVE-2024-5333
Published: 16 December 2024
Summary
CVE-2024-5333 is a medium-severity an unspecified weakness vulnerability in Stellarwp The Events Calendar. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Events Calendar WordPress plugin before version 6.8.2.1 contains a vulnerability in which access-control checks are absent from its REST API endpoints. This flaw permits unauthenticated callers to retrieve details about events that have been protected with passwords. The issue is reflected in a CVSS 3.1 base score of 5.3, driven by network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker can send crafted requests to the plugin’s REST API and obtain metadata or other information about password-protected events that would otherwise be inaccessible. The exposure is limited to confidentiality, with no direct impact on integrity or availability.
The referenced WPScan advisory identifies the affected plugin versions and indicates that the issue is resolved in release 6.8.2.1. The associated EPSS score has remained flat at 0.1097 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47146
Vulnerability details
The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.