cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foreventer eventer

Direction: ascending
Jan 18, 2025

Eventer # CVE-2024-10799

CVE, Research URL

CVE-2024-10799

Application

Eventer

Date
Jan 17, 2025
Research Description
The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions
max 3.9.8.
Status
vulnerable
Jan 29, 2025

Eventer # CVE-2024-11135

CVE, Research URL

CVE-2024-11135

Application

Eventer

Date
Jan 28, 2025
Research Description
The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 3.9.9.
Status
vulnerable
Mar 08, 2025

Eventer # CVE-2025-0959

CVE, Research URL

CVE-2025-0959

Application

Eventer

Date
Mar 07, 2025
Research Description
The Eventer - WordPress Event & Booking Manager Plugin plugin for WordPress is vulnerable to SQL Injection via the reg_id parameter in all versions up to, and including, 3.9.9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 3.9.9.3.
Status
vulnerable
May 18, 2025

Eventer # CVE-2025-39481

CVE, Research URL

CVE-2025-39481

Application

Eventer

Date
May 16, 2025
Research Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
Affected versions
max 3.11.4.
Status
vulnerable

Eventer # CVE-2025-39482

CVE, Research URL

CVE-2025-39482

Application

Eventer

Date
May 16, 2025
Research Description
Missing Authorization vulnerability in imithemes Eventer eventer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventer: from n/a through < 3.11.4.
Affected versions
max 3.11.4.
Status
vulnerable
Aug 14, 2025

Eventer # CVE-2025-39483

CVE, Research URL

CVE-2025-39483

Application

Eventer

Date
Aug 14, 2025
Research Description
Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer eventer allows Code Injection.This issue affects Eventer: from n/a through < 3.9.9.1.
Affected versions
max 3.9.9.1.
Status
vulnerable
Jul 09, 2026

Eventer # CVE-2026-9700

CVE, Research URL

CVE-2026-9700

Application

Eventer

Date
Jul 08, 2026
Research Description
The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 4.4.2.
Status
vulnerable

Eventer # CVE-2026-9701

CVE, Research URL

CVE-2026-9701

Application

Eventer

Date
Jul 08, 2026
Research Description
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.
Affected versions
max 4.4.2.
Status
vulnerable