CVE-2024-13526 is a vulnerability identified in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress, maintained by metagauss. The root cause is a missing authorization check (CWE-862) in the export_submittion_attendees function, which handles exporting event attendee data. This flaw allows any authenticated user with at least Subscriber-level privileges to bypass intended access controls and download attendee lists for any event managed by the plugin. The vulnerability affects all versions up to and including 4.0.7.3. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requiring only low privileges (authenticated user) and no user interaction. The impact is limited to confidentiality, as unauthorized users can access attendee data, but there is no impact on data integrity or system availability. No known exploits have been observed in the wild, and no patches have been linked yet. This vulnerability poses a privacy risk, potentially exposing sensitive attendee information such as names, contact details, or other personal data collected during event registration.

The primary impact of this vulnerability is unauthorized disclosure of attendee information, which can lead to privacy violations and potential compliance issues with data protection regulations such as GDPR or CCPA. Organizations using the affected plugin may face reputational damage if attendee data is leaked or misused. While the vulnerability does not allow modification or deletion of data, the exposure of personal information can facilitate targeted phishing, social engineering, or other follow-on attacks. Event organizers, especially those managing large-scale or sensitive events, are at risk of attendee data compromise. The scope includes any WordPress site using EventPrime for event management, which could be widespread given WordPress's global market share. The ease of exploitation by low-privilege authenticated users increases the threat, especially in environments where subscriber accounts are easily created or compromised.

To mitigate this vulnerability, organizations should immediately verify if they are running EventPrime versions up to 4.0.7.3 and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities to prevent access to the export_submittion_attendees function, potentially by customizing user roles or applying access control plugins that enforce capability checks on this functionality. Monitoring and auditing user activity related to event attendee exports can help detect unauthorized access attempts. Additionally, organizations should review and tighten user registration policies to limit the creation of low-privilege accounts and implement multi-factor authentication to reduce the risk of account compromise. Regular backups and data encryption can further protect sensitive attendee information. Finally, event organizers should inform attendees about the potential risk and advise on vigilance against phishing or suspicious communications.