WordPress WpEvently plugin <= 5.1.1 - Cross Site Request Forgery (CSRF) kwetsbaarheid
Platform
wordpress
Component
mage-eventpress
Opgelost in
5.1.2
CVE-2026-24942 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WpEvently WordPress plugin developed by magepeopleteam. This flaw allows an attacker to potentially execute unauthorized actions on a user's behalf if they are logged into a site using the vulnerable plugin. The vulnerability affects versions of WpEvently from 0.0.0 up to and including 5.1.1, and a patch is available in version 5.1.2.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
A successful CSRF attack could allow an attacker to modify settings, create or delete content, or perform other actions as the logged-in user. The impact is directly proportional to the user's privileges within the WordPress site. For example, an administrator account compromised via CSRF could lead to complete site takeover. This vulnerability is particularly concerning because CSRF attacks are often difficult for users to detect, as they may unknowingly be tricked into clicking malicious links or visiting compromised websites. The attacker needs to trick the user into performing the action, but does not need to know their password.
Uitbuitingscontextwordt vertaald…
CVE-2026-24942 was publicly disclosed on 2026-02-03. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
Wie Loopt Risicowordt vertaald…
Websites using the WpEvently plugin, particularly those with administrator accounts or users with elevated privileges, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
wp plugin list | grep WpEvently• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'mage-eventpress' /var/www/html/wp-content/plugins/• generic web: Check for unexpected changes in WordPress settings or content that could indicate a CSRF attack.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 7KNiche
- Plugin-beoordeling
- 4.5
- Vereist WordPress
- 5.3+
- Compatibel tot
- 7.0
- Vereist PHP
- 7.4+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-24942 is to immediately upgrade the WpEvently plugin to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the presence and validity of CSRF tokens. Additionally, review and strengthen WordPress user permissions to limit the potential impact of a successful CSRF attack. Regularly audit WordPress plugins for vulnerabilities and keep all plugins and themes updated.
Hoe te verhelpen
Update naar versie 5.1.2, of een nieuwere gepatchte versie
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-24942 — CSRF in WpEvently WordPress Plugin?
CVE-2026-24942 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–5.1.1 of the WpEvently WordPress plugin, allowing attackers to perform unauthorized actions.
Am I affected by CVE-2026-24942 in WpEvently WordPress Plugin?
You are affected if you are using WpEvently version 0.0.0 through 5.1.1. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-24942 in WpEvently WordPress Plugin?
Upgrade the WpEvently plugin to version 5.1.2 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
Is CVE-2026-24942 being actively exploited?
As of now, there are no known public exploits or active campaigns targeting CVE-2026-24942, but vigilance is still advised.
Where can I find the official WpEvently advisory for CVE-2026-24942?
Refer to the magepeopleteam website or WordPress plugin repository for the official advisory and update information regarding CVE-2026-24942.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.