CVE-2024-0236

MEDIUM

EventON WordPress Plugin < 2.2.7 - Unauthenticated Information Disclosure via AJAX Action

Title source: llm
STIX 2.1

Description

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

References (1)

Core 1
Core References
Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/09aeb6f2-6473-4de7-8598-e417049896d7/

Scores

CVSS v3 5.3
EPSS 0.0045
EPSS Percentile 36.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
myeventon/eventon < 2.2.7
Published Jan 16, 2024
Tracked Since Feb 18, 2026