CVE-2023-3219

MEDIUM NUCLEI

EventON WordPress Plugin < 2.1.2 - Unauthenticated Insecure Direct Object Reference via event_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-3219. PoCs published by Miguel Santareno. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an IDOR vulnerability in the WordPress EventON Calendar plugin (version 4.4), allowing unauthenticated access to any post content via the eventon_ics_download AJAX action by manipulating the event_id parameter.

Description

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

Exploits (1)

exploitdb WORKING POC

by Miguel Santareno · textwebappsphp

https://www.exploit-db.com/exploits/51659

View Code ZIP pw:eip

This exploit demonstrates an IDOR vulnerability in the WordPress EventON Calendar plugin (version 4.4), allowing unauthenticated access to any post content via the eventon_ics_download AJAX action by manipulating the event_id parameter.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin EventON Calendar 4.4

No auth needed

Prerequisites: WordPress site with EventON Calendar plugin version 4.4 installed · Knowledge of target post IDs

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

EventON Lite < 2.1.2 - Arbitrary File Download

MEDIUMVERIFIEDby r3Y3r53

Shodan: http.html:/wp-content/plugins/eventon/ || http.html:/wp-content/plugins/eventon-lite/

FOFA: wp-content/plugins/eventon/ || body=/wp-content/plugins/eventon/ || body=/wp-content/plugins/eventon-lite/

References (2)

Core 2

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/72d80887-0270-4987-9739-95b1a178c1fd

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/173992/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html

Scores

CVSS v3 5.3

EPSS 0.7471

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

myeventon/eventon < 2.1.2

Published Jul 10, 2023

Tracked Since Feb 18, 2026