Lucene search

PRIOn knowledge basePRION:CVE-2023-6158

HistoryJan 10, 2024 - 3:15 p.m.

Design/Logic Flaw

2024-01-1015:15:00

PRIOn knowledge base

www.prio-n.com

eventon

wordpress

virtual event

calendar

plugin

vulnerability

unauthorized modification

data loss

missing capability check

unauthenticated attackers

arbitrary post metadata

content injection

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.5%

JSON

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection.

CPENameOperatorVersion
eventonle4.5.4
eventon-litele2.2.7

CPE	Name	Operator	Version
	eventon	le	4.5.4
	eventon-lite	le	2.2.7

References

docs.myeventon.com/documentations/eventon-changelog/

plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php

www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve