CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-7200 – EventON < 4.4.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-7200
The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin El complemento EventON de WordPress anterior a 4.4.1 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera cross site scripting reflejado que podría usarse contra usuarios con privilegios elevados, como el administrador. The EventON Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/586cf0a5-515c-43ea-8c03-f2f47ed13c2c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-0238 – EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
https://notcve.org/view.php?id=CVE-2024-0238
The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. El complemento EventON WordPress anterior a 4.5.5 y el complemento EventON WordPress anterior a 2.2.7 no tienen autorización en una acción AJAX y no garantizan que la publicación que se actualizará pertenezca al complemento, lo que permite a usuarios no autenticados actualizar metadatos de publicaciones arbitrarias. • https://wpscan.com/vulnerability/774655ac-b201-4d9f-8790-9eff8564bc91 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-0233 – EventON (Free < 2.2.8, Premium < 4.5.5) - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-0233
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin El complemento EventON WordPress anterior a 4.5.5 y el complemento EventON WordPress anterior a 2.2.7 no sanitizan ni escapan adecuadamente un parámetro antes de devolverlo a las páginas, lo que genera cross site scripting reflejado que podría usarse contra usuarios con privilegios elevados, como el administrador. The EventON plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'eid' parameter in all versions up to, and including, 4.5.4 (premium) & 2.2.7 (free) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/04a708a0-b6f3-47d1-aac9-0bb17f57c61e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 2CVE-2024-0235 – EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure
https://notcve.org/view.php?id=CVE-2024-0235
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog El complemento EventON WordPress anterior a 4.5.5 y el complemento EventON WordPress anterior a 2.2.7 no tienen autorización en una acción AJAX, lo que permite a los usuarios no autenticados recuperar direcciones de correo electrónico de cualquier usuario en el blog. The EventON plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_virtual_users() function in all versions up, and including to 4.5.4 (premium) & 2.2.7 (free). This makes it possible for unauthenticated attackers to retrieve email addresses from the blog. • https://github.com/Cappricio-Securities/CVE-2024-0235 https://wpscan.com/vulnerability/e370b99a-f485-42bd-96a3-60432a15a4e9 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2024-0237 – EventON (Free < 2.2.9, Premium <= 4.5.8) - Unauthenticated Virtual Event Settings Update
https://notcve.org/view.php?id=CVE-2024-0237
The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc El complemento EventON WordPress anterior a 4.5.5 y el complemento EventON WordPress anterior a 2.2.7 no tienen autorización en algunas acciones AJAX, lo que permite a usuarios no autenticados actualizar la configuración de eventos virtuales, como la URL de la reunión, el moderador, los detalles de acceso, etc. Multiple plugins and/or themes for WordPress are vulnerable to unauthorized modification of data due to a missing capability check on several function in various versions. This makes it possible for unauthenticated attackers to save virtual event settings. • https://wpscan.com/vulnerability/73d1b00e-1f17-4d9a-bfc8-6bc43a46b90b • CWE-862: Missing Authorization •