EventON < 2.1.2 – Unauthenticated Post Access via IDOR

Description

The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=<any post id>

Affects Plugins

eventon-lite

Fixed in 2.1.2

eventON

Fixed in 4.4

References

CVE

CVE-2023-3219

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-639

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Miguel Santareno

Submitter

Miguel Santareno

Submitter website

https://miguelsantareno.github.io/

Submitter twitter

MiguelSantareno

Verified

Yes

WPVDB ID

72d80887-0270-4987-9739-95b1a178c1fd

Timeline

Publicly Published

2023-06-19 (about 5 months ago)

Added

2023-06-19 (about 5 months ago)

Last Updated

2023-08-29 (about 3 months ago)

Other

Published

Title

Published

2023-05-15

Title

WooCommerce Ship to Multiple Addresses < 3.8.4 - Subscriber+ Shipping Address Disclosure via IDOR

Published

2021-03-17

Title

BuddyPress < 7.2.1 - Manage BuddyPress Member Types

Published

2023-07-05

Title

BadgeOS <= 3.7.1.6 - Subscriber+ IDOR

Published

2023-07-26

Title

ACF Photo Gallery Field < 2.0 - Subscriber+ UserMeta Update

Published

2023-04-10

Title

Ruby Help Desk < 1.3.4 - Subscriber+ Ticket Update via IDOR