CVE-2024-0236

CWE-862 — Missing Authorization3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.5%

top 35.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Eventon Myeventon Eventon

Timeline

PublishedJan 16

Description

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5unknown/eventon< 4.5.5+1

▶NVDmyeventon/eventon4.0 — 4.5.5+1

🔴Vulnerability Details

CVEList

EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure↗2024-01-16

▶

GHSA

GHSA-7cv2-662c-vm87: The EventON WordPress plugin before 4↗2024-01-16

▶