CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3527 – EventON - WordPress Virtual Event Calendar Plugin <= 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-3527
16 May 2025 — The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6. • https://codecanyon.net/item/eventon-wordpress-event-calendar-plugin/1211017#item-description__change-log • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6243 – EventON PRO - WordPress Virtual Event Calendar Plugin <= 4.6.8 - Cross-Site Request Forgery via admin_test_email
https://notcve.org/view.php?id=CVE-2023-6243
18 Oct 2024 — The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due to missing or incorrect nonce validation on the admin_test_email function. This makes it possible for unauthenticated attackers to send test emails to arbitrary email addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://docs.myeventon.com/documentations/eventon-changelog • CWE-352: Cross-Site Request Forgery (CSRF) •