From a0c8330761bb702efa43addc73d4ac8853df34db Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 23 Jan 2026 13:54:39 +0530 Subject: [PATCH 1/2] CVE-2024-5333 - Unauthorized Data Disclosure in 'The Events Calendar' WordPress Plugin --- http/cves/2024/CVE-2024-5333.yaml | 55 +++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 http/cves/2024/CVE-2024-5333.yaml diff --git a/http/cves/2024/CVE-2024-5333.yaml b/http/cves/2024/CVE-2024-5333.yaml new file mode 100644 index 00000000000..88137c299a9 --- /dev/null +++ b/http/cves/2024/CVE-2024-5333.yaml @@ -0,0 +1,55 @@ +id: CVE-2024-5333 + +info: + name: Unauthorized Data Disclosure in 'The Events Calendar' WordPress Plugin + author: DhiyaneshDk + severity: medium + description: | + The Events Calendar WordPress plugin 6.8.2.1 contains missing access checks in the REST API, letting unauthenticated users access information about password protected events, exploit requires no authentication. + impact: | + Unauthenticated users can access sensitive event information, potentially leading to information disclosure. + remediation: | + Update to version 6.8.2.1 or later. + reference: + - https://wpscan.com/vulnerability/764b5a23-8b51-4882-b899-beb54f684984/ + - https://nvd.nist.gov/vuln/detail/CVE-2024-5333 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-5333 + cwe-id: CWE-639 + epss-score: 0.00193 + epss-percentile: 0.41217 + metadata: + verified: true + max-request: 1 + vendor: stellarwp + product: the_events_calendar + framework: wordpress + publicwww-query: "/wp-content/plugins/the-events-calendar/" + shodan-query: http.html:"/wp-content/plugins/the-events-calendar/" + tags: cve,cve2024,wordpress,wp-plugin,the-events-calendar,disclosure,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/wp-json/tribe/events/v1/events/" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"events":' + - '"rest_url":' + - '"total":' + condition: and + + - type: word + part: content_type + words: + - "application/json" + + - type: status + status: + - 200 From 67151803bba7e6ef71c0156ff98eff8294042d2a Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 29 Jan 2026 11:32:46 +0530 Subject: [PATCH 2/2] Update CVE-2024-5333.yaml --- http/cves/2024/CVE-2024-5333.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-5333.yaml b/http/cves/2024/CVE-2024-5333.yaml index 88137c299a9..2c491a45206 100644 --- a/http/cves/2024/CVE-2024-5333.yaml +++ b/http/cves/2024/CVE-2024-5333.yaml @@ -1,7 +1,7 @@ id: CVE-2024-5333 info: - name: Unauthorized Data Disclosure in 'The Events Calendar' WordPress Plugin + name: WordPress Events Calendar 6.8.2.1 - Information Disclosure author: DhiyaneshDk severity: medium description: | @@ -27,8 +27,8 @@ info: product: the_events_calendar framework: wordpress publicwww-query: "/wp-content/plugins/the-events-calendar/" - shodan-query: http.html:"/wp-content/plugins/the-events-calendar/" - tags: cve,cve2024,wordpress,wp-plugin,the-events-calendar,disclosure,unauth + shodan-query: html:"/wp-content/plugins/the-events-calendar/" + tags: cve,cve2024,wordpress,wp,wp-plugin,the-events-calendar,disclosure http: - method: GET