CVE-2024-0236 EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure

2024-01-1615:57:00

WPScan

www.cve.org

cve-2024-0236

eventon

wordpress

plugin

vulnerability

virtual event

password disclosure

ajax action

unauthenticated

settings

arbitrary

meeting password

zoom

0.001 Low

EPSS

Percentile

20.7%

JSON

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "EventON",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "4.5.5"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Unknown",
    "product": "EventON",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.2.7"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/09aeb6f2-6473-4de7-8598-e417049896d7/

0.001 Low

EPSS

Percentile

20.7%

JSON

Related for CVELIST:CVE-2024-0236