{"api_version":"1","generated_at":"2026-04-15T05:28:46+00:00","cve":"CVE-2024-1321","urls":{"html":"https://cve.report/CVE-2024-1321","api":"https://cve.report/api/cve/CVE-2024-1321.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-1321","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-1321"},"summary":{"title":"EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Unauthenticated Booking Payment Bypass","description":"The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-03-13 16:15:19","updated_at":"2026-04-08 18:20:33"},"problem_types":["CWE-345","NVD-CWE-noinfo","CWE-345 CWE-345 Insufficient Verification of Data Authenticity"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033882%40eventprime-event-calendar-management&new=3033882%40eventprime-event-calendar-management&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033882%40eventprime-event-calendar-management&new=3033882%40eventprime-event-calendar-management&sfp_email=&sfph_mail=","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/765d0933-8db2-471c-ad4e-e19d3b4ff015?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/765d0933-8db2-471c-ad4e-e19d3b4ff015?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-1321","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1321","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"metagauss","product":"EventPrime – Events Calendar, Bookings and Tickets","version":"affected 3.4.2 semver","platforms":[]},{"source":"ADP","vendor":"metagauss","product":"eventprime","version":"affected 3.4.2 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-11-04T05:28:17.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2024-03-08T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Lucio Sá","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"1321","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"metagauss","cpe5":"eventprime","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-01T18:33:25.576Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/765d0933-8db2-471c-ad4e-e19d3b4ff015?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033882%40eventprime-event-calendar-management&new=3033882%40eventprime-event-calendar-management&sfp_email=&sfph_mail="}],"title":"CVE Program Container"},{"affected":[{"cpes":["cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*"],"defaultStatus":"unaffected","product":"eventprime","vendor":"metagauss","versions":[{"lessThanOrEqual":"3.4.2","status":"affected","version":"0","versionType":"semver"}]}],"metrics":[{"other":{"content":{"id":"CVE-2024-1321","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-03-13T18:14:37.065032Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-08-28T16:07:23.899Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"EventPrime – Events Calendar, Bookings and Tickets","vendor":"metagauss","versions":[{"lessThanOrEqual":"3.4.2","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Lucio Sá"}],"descriptions":[{"lang":"en","value":"The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free."}],"metrics":[{"cvssV3_1":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-345","description":"CWE-345 Insufficient Verification of Data Authenticity","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:01:29.255Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/765d0933-8db2-471c-ad4e-e19d3b4ff015?source=cve"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033882%40eventprime-event-calendar-management&new=3033882%40eventprime-event-calendar-management&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2025-11-04T05:28:17.000Z","value":"Vendor Notified"},{"lang":"en","time":"2024-03-08T00:00:00.000Z","value":"Disclosed"}],"title":"EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Unauthenticated Booking Payment Bypass"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-1321","datePublished":"2024-03-13T15:26:56.986Z","dateReserved":"2024-02-07T17:29:36.334Z","dateUpdated":"2026-04-08T17:01:29.255Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-03-13 16:15:19","lastModifiedDate":"2026-04-08 18:20:33","problem_types":["CWE-345","NVD-CWE-noinfo","CWE-345 CWE-345 Insufficient Verification of Data Authenticity"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"3.4.3","matchCriteriaId":"EE9D3C4B-BEC7-4C98-96B7-55629914E43C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"1321","Ordinal":"1","Title":"EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Un","CVE":"CVE-2024-1321","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"1321","Ordinal":"1","NoteData":"The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.","Type":"Description","Title":"EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Un"}]}}}