CVSS: 5.3EPSS: 4%CPEs: 1EXPL: 2CVE-2023-2796 – EventON < 2.1.2 - Unauthenticated Event Access
https://notcve.org/view.php?id=CVE-2023-2796
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. The EventON plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the eventon_ics_download function in versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to view private or protected events. WordPress EventON Calendar plugin version 4.4 suffers from an insecure direct object reference vulnerability. • https://www.exploit-db.com/exploits/51658 http://packetstormsecurity.com/files/173984/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html https://wpscan.com/vulnerability/e9ef793c-e5a3-4c55-beee-56b0909f7a0d • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 7%CPEs: 1EXPL: 3CVE-2020-29395 – EventON <= 3.0.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-29395
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field. El plugin EventON versiones hasta 3.0.5 para WordPress, permite un XSS de addons/?q= por medio del campo de búsqueda The EventON plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including 3.0.5. This is due to insufficient escaping and sanitization on the q= parameter. • https://www.exploit-db.com/exploits/49130 http://packetstormsecurity.com/files/160282/WordPress-EventON-Calendar-3.0.5-Cross-Site-Scripting.html https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS https://www.myeventon.com/news • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •