CVE-2024-1126: CWE-862 Missing Authorization in metagauss EventPrime – Events Calendar, Bookings and Tickets
CVE-2024-1126 is a medium-severity vulnerability in the EventPrime – Events Calendar, Bookings and Tickets WordPress plugin, affecting all versions up to 3. 4. 1. It arises from a missing authorization check in the get_attendees_email_by_event_id() function, allowing authenticated users with subscriber-level access or higher to retrieve attendee email lists for any event. This unauthorized data access compromises confidentiality but does not affect data integrity or availability. Exploitation requires no special privileges beyond subscriber access and no user interaction, making it relatively easy to exploit in environments where the plugin is installed. No known exploits are currently reported in the wild. Organizations using this plugin should apply patches once available or implement access restrictions and monitoring to mitigate risk. Countries with high WordPress usage and significant adoption of this plugin, especially those with active event management sectors, are most at risk.
AI Analysis
Technical Summary
CVE-2024-1126 identifies a missing authorization vulnerability (CWE-862) in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress. The flaw exists in the get_attendees_email_by_event_id() function, which lacks proper capability checks to verify if the requesting user is authorized to access attendee email lists. This vulnerability affects all plugin versions up to and including 3.4.1. An attacker with authenticated subscriber-level access or higher can exploit this flaw to retrieve sensitive attendee email addresses for any event managed by the plugin. The vulnerability is remotely exploitable over the network without requiring elevated privileges or user interaction, increasing its risk profile. The CVSS v3.1 score is 5.3 (medium), reflecting the limited impact on confidentiality only, with no impact on integrity or availability. No patches or fixes have been linked yet, and no known exploits have been reported in the wild. The vulnerability highlights the importance of proper authorization checks in WordPress plugins handling sensitive user data.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of attendee email addresses, which compromises confidentiality. Attackers can harvest attendee contact information, potentially leading to phishing campaigns, spam, or social engineering attacks targeting event participants. While the vulnerability does not affect data integrity or availability, the exposure of personal information can damage organizational reputation and violate privacy regulations such as GDPR or CCPA. Organizations relying on EventPrime for event management may face increased risk of targeted attacks against their users. Since exploitation requires only subscriber-level access, any compromised or malicious user account can leverage this flaw, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often reverse-engineer disclosed vulnerabilities.
Mitigation Recommendations
Until an official patch is released, organizations should implement the following mitigations: 1) Restrict subscriber-level user registrations or closely monitor new accounts to reduce potential attacker footholds. 2) Limit plugin usage to trusted administrators and event managers only, disabling or removing it if not essential. 3) Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable function. 4) Monitor logs for unusual access patterns to attendee email data. 5) Educate users about phishing risks stemming from potential data leaks. 6) Once available, promptly apply vendor patches or updates addressing this vulnerability. 7) Review and harden WordPress user roles and capabilities to ensure least privilege principles are enforced. 8) Consider isolating event management functions on separate systems with stricter access controls to minimize exposure.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, India, France, Brazil, Netherlands, Japan, South Africa
CVE-2024-1126: CWE-862 Missing Authorization in metagauss EventPrime – Events Calendar, Bookings and Tickets
Description
CVE-2024-1126 is a medium-severity vulnerability in the EventPrime – Events Calendar, Bookings and Tickets WordPress plugin, affecting all versions up to 3. 4. 1. It arises from a missing authorization check in the get_attendees_email_by_event_id() function, allowing authenticated users with subscriber-level access or higher to retrieve attendee email lists for any event. This unauthorized data access compromises confidentiality but does not affect data integrity or availability. Exploitation requires no special privileges beyond subscriber access and no user interaction, making it relatively easy to exploit in environments where the plugin is installed. No known exploits are currently reported in the wild. Organizations using this plugin should apply patches once available or implement access restrictions and monitoring to mitigate risk. Countries with high WordPress usage and significant adoption of this plugin, especially those with active event management sectors, are most at risk.
AI-Powered Analysis
Technical Analysis
CVE-2024-1126 identifies a missing authorization vulnerability (CWE-862) in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress. The flaw exists in the get_attendees_email_by_event_id() function, which lacks proper capability checks to verify if the requesting user is authorized to access attendee email lists. This vulnerability affects all plugin versions up to and including 3.4.1. An attacker with authenticated subscriber-level access or higher can exploit this flaw to retrieve sensitive attendee email addresses for any event managed by the plugin. The vulnerability is remotely exploitable over the network without requiring elevated privileges or user interaction, increasing its risk profile. The CVSS v3.1 score is 5.3 (medium), reflecting the limited impact on confidentiality only, with no impact on integrity or availability. No patches or fixes have been linked yet, and no known exploits have been reported in the wild. The vulnerability highlights the importance of proper authorization checks in WordPress plugins handling sensitive user data.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of attendee email addresses, which compromises confidentiality. Attackers can harvest attendee contact information, potentially leading to phishing campaigns, spam, or social engineering attacks targeting event participants. While the vulnerability does not affect data integrity or availability, the exposure of personal information can damage organizational reputation and violate privacy regulations such as GDPR or CCPA. Organizations relying on EventPrime for event management may face increased risk of targeted attacks against their users. Since exploitation requires only subscriber-level access, any compromised or malicious user account can leverage this flaw, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often reverse-engineer disclosed vulnerabilities.
Mitigation Recommendations
Until an official patch is released, organizations should implement the following mitigations: 1) Restrict subscriber-level user registrations or closely monitor new accounts to reduce potential attacker footholds. 2) Limit plugin usage to trusted administrators and event managers only, disabling or removing it if not essential. 3) Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable function. 4) Monitor logs for unusual access patterns to attendee email data. 5) Educate users about phishing risks stemming from potential data leaks. 6) Once available, promptly apply vendor patches or updates addressing this vulnerability. 7) Review and harden WordPress user roles and capabilities to ensure least privilege principles are enforced. 8) Consider isolating event management functions on separate systems with stricter access controls to minimize exposure.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-31T14:16:08.120Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6d22b7ef31ef0b56e3bf
Added to database: 2/25/2026, 9:44:02 PM
Last enriched: 2/26/2026, 9:16:56 AM
Last updated: 2/26/2026, 9:39:24 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.