WordPress Plugin Vulnerabilities

EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update

Description

The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.

Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in the Free plugin before 2.7.7 and Premium before 4.5.5

Proof of Concept

Affects Plugins

Plugin icon
eventON
Fixed in 4.5.6
Plugin icon
eventon-lite
Fixed in 2.2.8

References

CVE
CVE-2024-0238

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
774655ac-b201-4d9f-8790-9eff8564bc91

Timeline

Publicly Published
2024-01-10 (about 1 year ago)
Added
2024-01-10 (about 1 year ago)
Last Updated
2024-01-30 (about 1 year ago)

Other

Published
Title
Published
2025-05-16
Title
6Storage Rentals <= 2.19.9 - Missing Authorization
Published
2024-07-11
Title
MakeStories (for Google Web Stories) < 3.0.4 - Authenticated (Subscriber+) Arbitrary File Download and Server-Side Request Forgery
Published
2025-04-04
Title
6Storage Rentals <= 2.19.9 - Missing Authorization
Published
2025-12-15
Title
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories < 4.9.3 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure
Published
2024-07-08
Title
XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin] < 1.7.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting