In modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter.
Line 47: $getUserUuid = admFuncVariableIsValid($_GET, 'user_uuid', 'uuid', ...)
Line 424: if ($event->possibleToParticipate() || $participants->isLeader($gCurrentUserId))
The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user.
The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user.
For non-leader users, force user_uuid to the current user:
if (!$participants->isLeader($gCurrentUserId)) {
$getUserUuid = $gCurrentUser->getValue('usr_uuid');
}
| Score | Percentile |
|---|---|
| 0.02% | 3.82% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-7pfv-hr63-h7cw ↗ |
| CVE | CVE-2026-30927 ↗ |
| CWE id | Name |
|---|---|
| CWE-639 | Authorization Bypass Through User-Controlled Key |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | admidio/admidio | < 5.0.6 | 5.0.6 | — |