CVE-2024-6180 — Missing Authorization in Eventon Events Calendar

CWE-862 — Missing Authorization3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.7%

top 28.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ashanjay Eventon Events Calendar

Timeline

PublishedJul 9

Description

The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages1 packages

▶CVEListV5ashanjay/eventon_events_calendar2.2.15

🔴Vulnerability Details

GHSA

GHSA-j9j6-ccc3-92c8: The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings'↗2024-07-09

▶

CVEList

EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates↗2024-07-09

▶