CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47565 – WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-47565
03 Jul 2025 — Missing Authorization vulnerability in ashanjay EventON allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventON: from n/a through 4.9.9. The EventON (Pro) - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized a... • https://patchstack.com/database/wordpress/plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-9-broken-access-control-vulnerability-2?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48116 – WordPress EventON <= 2.4.4 - Broken Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2025-48116
16 May 2025 — Missing Authorization vulnerability in Ashan Perera EventON allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects EventON: from n/a through 2.4.4. The EventON – Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/eventon-lite/vulnerability/wordpress-eventon-2-4-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3527 – EventON - WordPress Virtual Event Calendar Plugin <= 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-3527
16 May 2025 — The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6. • https://codecanyon.net/item/eventon-wordpress-event-calendar-plugin/1211017#item-description__change-log • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47564 – WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-47564
16 May 2025 — Missing Authorization vulnerability in ashanjay EventON allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects EventON: from n/a through 4.9.9. The EventON (Pro) - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.9.9. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-9-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47494 – WordPress EventON <= 2.4.1 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-47494
07 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON allows PHP Local File Inclusion. This issue affects EventON: from n/a through 2.4.1. The EventON plugin for WordPress is vulnerable to Local File Inclusion via the evo_block_render_callback() function in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary fi... • https://patchstack.com/database/wordpress/plugin/eventon-lite/vulnerability/wordpress-eventon-2-4-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32614 – WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-32614
09 Apr 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON allows PHP Local File Inclusion. This issue affects EventON: from n/a through 2.3.2. The EventON plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be u... • https://patchstack.com/database/wordpress/plugin/eventon-lite/vulnerability/wordpress-eventon-plugin-2-3-2-local-file-inclusion-vulnerability-2?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32160 – WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-32160
04 Apr 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON. This issue affects EventON: from n/a through 2.3.2. The EventON plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. Thi... • https://patchstack.com/database/wordpress/plugin/eventon-lite/vulnerability/wordpress-eventon-plugin-2-3-2-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6243 – EventON PRO - WordPress Virtual Event Calendar Plugin <= 4.6.8 - Cross-Site Request Forgery via admin_test_email
https://notcve.org/view.php?id=CVE-2023-6243
18 Oct 2024 — The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due to missing or incorrect nonce validation on the admin_test_email function. This makes it possible for unauthenticated attackers to send test emails to arbitrary email addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://docs.myeventon.com/documentations/eventon-changelog • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33940 – WordPress EventON plugin <= 2.2.14 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-33940
30 Apr 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashan Jay EventON allows Stored XSS.This issue affects EventON: from n/a through 2.2.14. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Ashan Jay EventON permite almacenar XSS. Este problema afecta a EventON: desde n/a hasta 2.2.14. The EventON plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings i... • https://patchstack.com/database/vulnerability/eventon-lite/wordpress-eventon-plugin-2-2-14-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •