Event Booking Manager for WooCommerce <= 5.3.3 - Missing Authorization
Description
The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.3.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v5.3.4
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-45441 ## 1. Vulnerability Summary The **Event Booking Manager for WooCommerce** plugin (mage-eventpress) up to version 5.3.3 contains a **Missing Authorization** vulnerability. The plugin registers several AJAX actions intended for administrative use (such as…
Show full research plan
Exploitation Research Plan - CVE-2026-45441
1. Vulnerability Summary
The Event Booking Manager for WooCommerce plugin (mage-eventpress) up to version 5.3.3 contains a Missing Authorization vulnerability. The plugin registers several AJAX actions intended for administrative use (such as searching for icons or managing event data) but fails to implement proper capability checks (e.g., current_user_can()) or fails to restrict the hooks to authenticated administrative users.
Based on the provided source code in assets/admin/mkb-admin.js, the action mep_pick_icon is a primary candidate for this vulnerability, as it is used in an administrative context but appears to be callable via admin-ajax.php without session-specific security tokens (nonces) or verified authorization.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - HTTP Method:
POST - Action:
mep_pick_icon(confirmed inmkb-admin.js) - Vulnerable Parameter:
query - Authentication Required: None (unauthenticated access is possible if
wp_ajax_nopriv_is used or if any logged-in user can trigger thewp_ajax_hook without capability verification). - Preconditions: The plugin must be active.
3. Code Flow
- **Frontend Trigger
Summary
The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the backend handler for the mep_pick_icon AJAX action. This allows unauthenticated attackers to perform unauthorized searches for icons and potentially interact with administrative components by sending requests to the admin-ajax.php endpoint.
Vulnerable Code
// assets/admin/mkb-admin.js line 15 $(document).on('input', "input[name='mep_icon_search_box']", function () { var searchQuery = $(this).val(); $.ajax({ url: ajaxurl, // WordPress's AJAX URL (for admin-ajax.php) method: 'POST', data: { action: 'mep_pick_icon', // The action name to hook into query: searchQuery, // The search query }, success: function (response) { // Clear the icon list container $('.fa-icon-lists').html(''); console.log(response); $.each(response, function (className, title) { $('.fa-icon-lists').append(` <div class="icon" title="${title}" data-icon="${className}"> <i class="${className}"></i> </div> `); }); }, }); });
Security Fix
Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4: admin Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1: Admin Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4/assets/admin: calendar-admin.css Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4/assets/admin: calendar-admin.js @@ -1,7 +1,7 @@ /* Filters Section */ .mep-analytics-filters { - background-color: var(--mpev-white); + background-color: var(--color_white); padding: 20px; margin-bottom: 20px; border-radius: 5px; Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1/assets/admin: mkb-admin.js Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1/assets/admin: mp_admin_settings.js
Exploit Outline
The exploit involves interacting with the WordPress AJAX API without any authentication. An attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'mep_pick_icon' and an arbitrary 'query' string. Because the plugin fails to implement a capability check (e.g., current_user_can('manage_options')) or verify a security nonce within the corresponding PHP handler, the server will process the request and return data (such as icon lists) even for unauthenticated users, confirming the missing authorization vulnerability.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.