Vulnerabilities > CVE-2023-0404 - Missing Authorization vulnerability in E-Dynamics Events Made Easy
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The Events Made Easy plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions related to AJAX actions in versions up to, and including, 2.3.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those functions intended for administrator use. While the plugin is still pending review from the WordPress repository, site owners can download a copy of the patched version directly from the developer's Github at https://github.com/liedekef/events-made-easy
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2836308%40events-made-easy&new=2836308%40events-made-easy&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2836308%40events-made-easy&new=2836308%40events-made-easy&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a9e62de-3e70-424f-b8e5-2a5f07ca182d
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a9e62de-3e70-424f-b8e5-2a5f07ca182d