CVE-2024-32110 Overview
CVE-2024-32110 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the Magepeople WpEvently plugin for WordPress. The plugin, marketed as an event manager and ticket selling solution for WooCommerce, contains missing or insufficient CSRF protections through version 4.1.2. Attackers can craft malicious web pages that trigger unauthorized state-changing actions when an authenticated WordPress user visits the attacker-controlled page. The flaw requires user interaction and operates over the network, limiting impact to integrity of plugin-managed data rather than confidentiality or availability.
Critical Impact
Authenticated WordPress users visiting an attacker-controlled page can be coerced into performing unintended actions within the WpEvently plugin, leading to unauthorized modification of event or ticket data.
Affected Products
- Magepeople WpEvently (Event Manager and Tickets Selling Plugin for WooCommerce)
- All versions from initial release through 4.1.2
- WordPress installations using the mage-eventpress plugin
Discovery Timeline
- 2026-06-11 - CVE-2024-32110 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2024-32110
Vulnerability Analysis
The WpEvently plugin fails to validate the origin of state-changing HTTP requests submitted to its administrative endpoints. WordPress provides a built-in nonce mechanism (wp_nonce_field() and check_admin_referer()) to mitigate CSRF, but the affected handlers in WpEvently do not enforce nonce verification on all sensitive actions. Attackers exploit this gap by hosting a page that auto-submits a forged request to the target site. When a logged-in administrator or privileged user loads the malicious page, the browser attaches valid session cookies, and the WordPress backend processes the request as legitimate. The Patchstack advisory documents the issue as a CSRF flaw affecting versions up to 4.1.2.
Root Cause
The root cause is missing CSRF token validation [CWE-352] on plugin request handlers. WpEvently action handlers process incoming POST or GET parameters without confirming that the request originated from the WordPress administration interface. The plugin does not consistently call wp_verify_nonce() or check_ajax_referer() before executing privileged operations.
Attack Vector
Exploitation requires an authenticated WordPress user to interact with attacker-controlled content. The attacker delivers a phishing link, embeds an exploit in a forum post, or compromises a third-party site loaded in the victim's browser. The forged request executes silently in the background, modifying plugin state without the user's knowledge. No credentials or privileges are required on the attacker side, but the victim must hold a valid session on the target WordPress site.
See the Patchstack CSRF Vulnerability Advisory for advisory details.
Detection Methods for CVE-2024-32110
Indicators of Compromise
- Unexpected modifications to events, tickets, or plugin settings in the WordPress admin panel without corresponding admin user activity logs.
- HTTP referrer headers pointing to external domains on requests to wp-admin/admin.php or admin-ajax.php involving mage-eventpress actions.
- Spikes in POST requests to WpEvently endpoints originating from authenticated sessions immediately after users visit external links.
Detection Strategies
- Inspect web server access logs for requests to plugin endpoints lacking a same-origin Referer or missing the _wpnonce parameter.
- Audit WordPress activity logs (via plugins such as WP Activity Log) for state changes performed without a corresponding admin UI navigation trail.
- Compare plugin configuration baselines on a scheduled cadence to surface unauthorized modifications.
Monitoring Recommendations
- Enable verbose logging on the WordPress site and forward logs to a centralized SIEM for correlation with user authentication events.
- Alert on cross-origin POST requests to WordPress admin endpoints from authenticated sessions.
- Track failed and successful changes to ticket pricing, event metadata, and plugin options as high-value audit events.
How to Mitigate CVE-2024-32110
Immediate Actions Required
- Update Magepeople WpEvently to a version newer than 4.1.2 once the vendor publishes a patched release.
- Restrict administrative access to the WordPress site to known IP ranges where feasible.
- Require administrators to log out of the WordPress admin interface when not actively managing the site.
Patch Information
The vendor advisory is tracked through Patchstack. Site operators should consult the Patchstack CSRF Vulnerability Advisory for the current fixed version and apply the upgrade through the WordPress plugin manager or by replacing the mage-eventpress directory under wp-content/plugins/.
Workarounds
- Deploy a Web Application Firewall (WAF) rule that blocks requests to mage-eventpress action handlers missing a valid _wpnonce parameter or same-origin Referer header.
- Disable the WpEvently plugin until a patched version is installed if event management is not business-critical.
- Enforce browser isolation or separate browser profiles for WordPress administrators to limit exposure to attacker-controlled pages during active admin sessions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
