CVE-2024-11396
📋 TL;DR
The Event Monster WordPress plugin creates publicly accessible CSV files containing visitor personal data in the wp-content folder. Unauthenticated attackers can extract names, emails, and phone numbers from event visitors. All WordPress sites using Event Monster plugin versions up to 1.4.3 are affected.
💻 Affected Systems
- Event Monster – Event Management, Tickets Booking, Upcoming Event WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing all event visitor PII, leading to identity theft, phishing campaigns, regulatory fines, and reputational damage.
Likely Case
Unauthenticated attackers harvesting visitor contact information for spam, phishing, or targeted attacks against individuals.
If Mitigated
Limited exposure if web server blocks access to wp-content/uploads or if file permissions restrict public access.
🎯 Exploit Status
Exploitation requires only web access to the predictable file path. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Event Monster plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.4.4+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Block public access to CSV files
linuxAdd .htaccess rules to block access to the vulnerable CSV file in wp-content folder
# Add to .htaccess in wp-content folder
<Files "visitors-list-export.csv">
Order Allow,Deny
Deny from all
</Files>
Disable plugin temporarily
allDeactivate Event Monster plugin until patched
wp plugin deactivate event-monster
🧯 If You Can't Patch
- Implement web application firewall rules to block access to visitors-list-export.csv file
- Restrict directory listing and file access permissions on wp-content/uploads folder
🔍 How to Verify
Check if Vulnerable:
Check if file exists at: http://[your-domain]/wp-content/uploads/visitors-list-export.csvCheck Version:
wp plugin get event-monster --field=versionVerify Fix Applied:
After update, verify file is no longer publicly accessible at the same URL and check plugin version is 1.4.4+📡 Detection & Monitoring
Log Indicators:
- HTTP 200 requests to /wp-content/uploads/visitors-list-export.csv
- Multiple failed attempts to access the CSV file
Network Indicators:
- Unusual traffic patterns to wp-content/uploads directory
- CSV file downloads from unexpected IP addresses
SIEM Query:
url = "*/wp-content/uploads/visitors-list-export.csv" AND response_code = 200