← back
CVE-2023-2796

EventON < 2.1.2 - Unauthenticated Event Access

EPSS 37.5%
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
Affected products
Unknown · EventON
public PoCs found3
cve_referencepacketstormsecurity.com/files/173984/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.htmlunverifiedcve_referencewpscan.com/vulnerability/e9ef793c-e5a3-4c55-beee-56b0909f7a0dunverifiedexploitdbwww.exploit-db.com/exploits/51658unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/173984/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.htmlhttps://wpscan.com/vulnerability/e9ef793c-e5a3-4c55-beee-56b0909f7a0d