WordPress Plugin Vulnerabilities

EventON < 2.2.16 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates

Description

The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages.

Affects Plugins

Plugin icon
eventon-lite
Fixed in 2.2.16

References

CVE
CVE-2024-6180
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c57-eaa41c9a1829

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
508c9eb5-11e5-4f16-872f-a04cdb663856

Timeline

Publicly Published
2024-07-08 (about 1 year ago)
Added
2024-07-08 (about 1 year ago)
Last Updated
2024-07-30 (about 1 year ago)

Other

Published
Title
Published
2025-11-18
Title
CBX Bookmark & Favorite < 2.0.2 - Missing Authorization
Published
2024-04-22
Title
Vision Interactive < 1.7.2 - Missing Authorization
Published
2026-01-15
Title
Kalium < 3.30 - Missing Authorization to Unauthenticated Mail Relay via kalium_vc_contact_form_request
Published
2026-05-05
Title
All-in-One WP Migration Unlimited Extension < 2.84 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download
Published
2024-03-26
Title
WholesaleX < 1.3.2 - Authenticated(Subscriber+) Missing Authorization via multiple AJAX actions