cbcvebase.
CVE-2023-3219
published 2023-07-10

CVE-2023-3219: The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing…

PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
6.12%
92.5th percentile
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

Affected

1 ranges
VendorProductVersion rangeFixed in
myeventoneventon< 2.1.22.1.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=1
path/wp-content/plugins/eventon/
path/wp-content/plugins/eventon-lite/
commandaction=eventon_ics_download&event_id=
  • Detect exploitation attempts by monitoring GET requests to /wp-admin/admin-ajax.php with the 'action=eventon_ics_download' parameter combined with an arbitrary numeric 'event_id'. Requests are unauthenticated and require no prior session.
  • A successful exploitation response will contain both 'BEGIN:VCALENDAR' and 'END:VCALENDAR' in the body with a 'text/Calendar' Content-Type header and HTTP 200 status, indicating post content was leaked via ICS export.
  • Presence of the plugin paths '/wp-content/plugins/eventon/' or '/wp-content/plugins/eventon-lite/' in HTTP responses indicates a potentially vulnerable installation that should be prioritized for scanning.
  • ·The exploit works by supplying any arbitrary numeric post ID as 'event_id'; there is no fixed payload value — attackers enumerate IDs (e.g., 1, 2, 3…) to harvest different posts, so detection rules should focus on the action parameter pattern rather than a specific event_id value.
  • ·The vulnerability affects EventON Lite versions before 2.1.2 as well as the paid EventON plugin (tested on version 4.4); detection coverage should include both plugin paths.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.