cbcvebase.
CVE-2023-2796
published 2023-07-10

CVE-2023-2796: The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to…

PriorityP181medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.47%
98.3th percentile
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.

Affected

1 ranges
VendorProductVersion rangeFixed in
myeventoneventon< 2.1.22.1.2

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=1
path/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value
path/wp-content/plugins/eventon-lite/
path/wp-content/plugins/eventon/
otherContent-Type: text/Calendar (response header)
bytes
BEGIN:VCALENDAR / END:VCALENDAR in response body
  • Detect unauthenticated GET requests to the eventon_ics_download AJAX action; a successful exploit returns HTTP 200 with a valid iCalendar body (BEGIN:VCALENDAR / END:VCALENDAR) and Content-Type: text/Calendar header.
  • Monitor web server logs for unauthenticated requests to /wp-admin/admin-ajax.php with the query parameter action=eventon_ics_download, especially with sequential numeric event_id values (enumeration/IDOR pattern).
  • Use Shodan dorks to identify exposed vulnerable instances: search for vuln:CVE-2023-2796, http.html:/wp-content/plugins/eventon-lite/, or http.html:/wp-content/plugins/eventon/
  • Use Google dork to find exposed EventON plugin installations: inurl:"/wp-content/plugins/eventon/"
  • ·The vulnerability affects EventON Free versions before 2.1.2 (and separately before 2.2.8 for a related issue). The exploit PoC was tested against version 4.4 (Premium). Ensure version checks cover both Free and Premium branches.
  • ·The Nuclei template for CVE-2023-2796 uses event_id=1 as a fixed probe value; in real enumeration, attackers iterate numeric IDs. Detection rules should account for sequential or varied numeric event_id values, not just id=1.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.