CVE-2024-0238

MEDIUM

EventON < 2.2.8 - Unauthenticated Arbitrary Post Metadata Update via AJAX Action

Title source: llm
STIX 2.1

Description

The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.

References (1)

Core 1
Core References
Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/774655ac-b201-4d9f-8790-9eff8564bc91/

Scores

CVSS v3 6.1
EPSS 0.0037
EPSS Percentile 29.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79 CWE-862
Status published
Products (1)
myeventon/eventon < 2.2.7
Published Jan 16, 2024
Tracked Since Feb 18, 2026