CVE-2024-0235
published 2024-01-16CVE-2024-0235: The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to…
PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.96%
98.4th percentile
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| myeventon | eventon | < 2.2.7 | 2.2.7 |
| myeventon | eventon | >= 4.0 < 4.5.5 | 4.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /wp-admin/admin-ajax.php?action=eventon_get_virtual_users body: _user_role=administrator↗
- →Presence of plugin paths '/wp-content/plugins/eventon/' or '/wp-content/plugins/eventon-lite/' in HTTP response body indicates a potentially vulnerable EventON installation. ↗
- →The exploit POST body uses '_user_role=administrator' with Content-Type application/x-www-form-urlencoded to the AJAX action; no authentication is required. ↗
- ·Vulnerable versions are EventON Free < 2.2.8 and EventON Premium < 4.5.5; the NVD entry lists the free branch boundary as < 2.2.7, while the WPScan template references < 2.2.8 — verify the exact patched version against the vendor advisory. ↗
- ·The Shodan fingerprint query references 'vuln:CVE-2023-2796' which appears to be a different CVE; treat that Shodan query with caution as it may produce false positives or miss true CVE-2024-0235 targets. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w32c-7vqv-h5gw: The EventON WordPress plugin before 4
ghsa_unreviewed·2024-01-16
CVE-2024-0235 [MEDIUM] CWE-862 GHSA-w32c-7vqv-h5gw: The EventON WordPress plugin before 4
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
VulnCheck
myeventon eventon Missing Authorization
vulncheck·2024·CVSS 5.3
CVE-2024-0235 [MEDIUM] myeventon eventon Missing Authorization
myeventon eventon Missing Authorization
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
Affected: myeventon eventon
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-23&host_type=src&vulnerability=cve-2024-0235; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-25&host_type=src&vulnerability=cve-2024-0235; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/
No detection rules found.
Nuclei
EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
nuclei·CVSS 5.3
CVE-2024-0235 [MEDIUM] EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorization in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog.
Template:
id: CVE-2024-0235
info:
name: EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
author: ProjectDiscoveryAI
severity: medium
description: |
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorization in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog.
impact: |
An attacker could potentially access sensitive email information.
remediation: |
Update to the latest version of the EventON WordPress
2024-01-16
Published
Exploited in the wild