Events Addon for Elementor < 2.1.3 – Missing Authorization | CVE 2023-47827 | Plugin Vulnerabilities

Description

The Events Addon for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the naevents_bw_settings_save_func(), naevents_bw_toggle_submit_func(), naevents_pro_settings_save_func(), naevents_pro_toggle_submit_func() and naevents_uw_settings_save_func() functions all hooked via nopriv AJAX actions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to modify the plugin's settings.

Affects Plugins

events-addon-for-elementor

Fixed in 2.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b7f52e71-da35-4b46-b658-d293f81b5dc9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

219435c8-3794-40bf-af6e-c33ccc5a2612

Timeline

Publicly Published

2023-11-14 (about 2 years ago)

Added

2023-12-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-09-05

Title

Shk Corporate <= 2.4.1.1 - Missing Authorization

Published

2024-12-05

Title

Pinpoint Booking System < 2.9.9.5.8 - Missing Authorization

Published

2026-02-09

Title

Benevolent < 1.4.0 - Missing Authorization

Published

2024-08-16

Title

Radio Player < 2.0.74 - Missing Authorization to Player Update

Published

2025-04-01

Title

RestroPress <= 3.2.4.2 - Missing Authorization