CVE-2024-4665: 
WordPress vulnerability analysis and mitigation

The EventPrime WordPress plugin before version 3.5.0 contains a security vulnerability identified as CVE-2024-4665. The vulnerability allows users to manipulate booking settings without proper permission validation, enabling them to change or cancel bookings belonging to other users. The issue is compounded by the absence of a nonce security measure (WPScan).

The vulnerability stems from improper access control implementation in the booking management functionality. The issue specifically affects the booking update mechanism through the admin-ajax.php endpoint, where the plugin fails to properly validate user permissions when processing booking status updates. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (CISA-ADP).

When exploited, this vulnerability allows authenticated users with subscriber-level access or higher to modify or cancel bookings that belong to other users. This can lead to unauthorized manipulation of booking records and potential disruption of legitimate event bookings within the system (WPScan).

The vulnerability has been patched in EventPrime version 3.5.0. Users are strongly advised to update to this version or later to address the security issue. No alternative workarounds have been publicly documented (WPScan).