Plataforma
wordpress
Componente
mage-eventpress
Corrigido em
5.1.2
CVE-2026-24942 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WpEvently WordPress plugin developed by magepeopleteam. This flaw allows an attacker to potentially execute unauthorized actions on a user's behalf if they are logged into a site using the vulnerable plugin. The vulnerability affects versions of WpEvently from 0.0.0 up to and including 5.1.1, and a patch is available in version 5.1.2.
A successful CSRF attack could allow an attacker to modify settings, create or delete content, or perform other actions as the logged-in user. The impact is directly proportional to the user's privileges within the WordPress site. For example, an administrator account compromised via CSRF could lead to complete site takeover. This vulnerability is particularly concerning because CSRF attacks are often difficult for users to detect, as they may unknowingly be tricked into clicking malicious links or visiting compromised websites. The attacker needs to trick the user into performing the action, but does not need to know their password.
CVE-2026-24942 was publicly disclosed on 2026-02-03. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
Websites using the WpEvently plugin, particularly those with administrator accounts or users with elevated privileges, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
wp plugin list | grep WpEvently• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'mage-eventpress' /var/www/html/wp-content/plugins/• generic web: Check for unexpected changes in WordPress settings or content that could indicate a CSRF attack.
disclosure
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-24942 is to immediately upgrade the WpEvently plugin to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the presence and validity of CSRF tokens. Additionally, review and strengthen WordPress user permissions to limit the potential impact of a successful CSRF attack. Regularly audit WordPress plugins for vulnerabilities and keep all plugins and themes updated.
Update to version 5.1.2, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-24942 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–5.1.1 of the WpEvently WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using WpEvently version 0.0.0 through 5.1.1. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WpEvently plugin to version 5.1.2 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-24942, but vigilance is still advised.
Refer to the magepeopleteam website or WordPress plugin repository for the official advisory and update information regarding CVE-2026-24942.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.