CVE-2024-11134 – The Eventer WordPress plugin has an authorizati... (How to Fix)

📋 TL;DR

The Eventer WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level permissions or higher to download booking data containing customers' personal information. This affects all WordPress sites using Eventer plugin versions up to and including 3.9.9. The vulnerability stems from a missing capability check in the export function.

💻 Affected Systems

Products:

Eventer WordPress Event Manager Plugin

Versions: All versions up to and including 3.9.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Eventer plugin and at least one authenticated user account.

📦 What is this software?

Eventer by Imithemes

View all CVEs affecting Eventer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate all booking data containing PII (names, emails, phone numbers, addresses) leading to data breach, regulatory fines, and reputational damage.

🟠

Likely Case

Low-privileged authenticated users accessing booking data they shouldn't have permission to view, potentially exposing customer information.

🟢

If Mitigated

Minimal impact if proper access controls and monitoring are in place to detect unauthorized data exports.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is simple once authenticated. The vulnerability is publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.10.0 or higher

Vendor Advisory: https://codecanyon.net/item/eventer-wordpress-event-manager-plugin/20972534

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Eventer plugin
4. Click 'Update Now' if update available
5. If no update available, download latest version from vendor
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily deactivate or remove the Eventer plugin until patched

wp plugin deactivate eventer
wp plugin delete eventer

Restrict user roles

all

Limit subscriber-level accounts or implement additional access controls

🧯 If You Can't Patch

Implement web application firewall rules to block access to vulnerable endpoints
Enable detailed logging of all data export activities and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Eventer version number. If version is 3.9.9 or lower, you are vulnerable.

Check Version:

wp plugin get eventer --field=version

Verify Fix Applied:

After updating, verify Eventer plugin version is 3.10.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual CSV export requests from non-admin users
Multiple booking data export attempts from single user
Access to /wp-admin/admin-ajax.php with action=eventer_export_bookings_csv

Network Indicators:

HTTP POST requests to admin-ajax.php with export parameters
Unexpected large CSV file downloads from WordPress admin area

SIEM Query:

source="wordpress.log" AND ("eventer_export_bookings_csv" OR "admin-ajax.php") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-11134

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.12% exploit probability (31.1th percentile)

Published: February 3, 2025

Last Updated: March 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11134, you might also want to check these: