WordPress Plugin Vulnerabilities

EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure

Description

The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog

Proof of Concept

Affects Plugins

Plugin icon
eventON
Fixed in 4.5.5
Plugin icon
eventon-lite
Fixed in 2.2.8

References

CVE
CVE-2024-0235

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
e370b99a-f485-42bd-96a3-60432a15a4e9

Timeline

Publicly Published
2024-01-10 (about 1 year ago)
Added
2024-01-10 (about 1 year ago)
Last Updated
2024-01-10 (about 1 year ago)

Other

Published
Title
Published
2024-08-07
Title
Sunshine Photo Cart < 3.2.2 - Missing Authorization
Published
2025-06-05
Title
Art Theme < 3.12.3 - Missing Authorization to Authenticated (Subscriber+) Theme Option Delete
Published
2024-12-11
Title
Quietly Insights <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-04-01
Title
Export All Post Meta <= 1.2.1 - Missing Authorization
Published
2024-07-04
Title
The Post Grid < 7.7.5 - Missing Authorization via AJAX