WordPress Plugin Vulnerabilities

EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update

Description

The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc

Proof of Concept

Affects Plugins

Plugin icon
eventON
Fixed in 4.5.9
Plugin icon
eventon-lite
Fixed in 2.2.9

References

CVE
CVE-2024-0237

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
73d1b00e-1f17-4d9a-bfc8-6bc43a46b90b

Timeline

Publicly Published
2024-01-10 (about 1 year ago)
Added
2024-01-10 (about 1 year ago)
Last Updated
2024-02-02 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
WC Wallet <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2025-06-27
Title
WP DB Booster <= 1.0.1 - Missing Authorization
Published
2025-11-17
Title
WP Duplicate Page < 1.8 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure
Published
2025-01-06
Title
Croma Music < 3.6.1 - Authenticated (Subscriber+) Arbitrary Options Update in ironMusic_ajax
Published
2024-12-11
Title
Web3 Cryptocurrency Payments by DePay for WooCommerce < 2.12.18 - Missing Authorization to Information Exposure