CVE-2023-2796

EventON < 2.1.2 - Unauthenticated Event Access

EPSS 37.5%

Vexday Risk Score

35Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 37.5%KEV nãoPoC públicaPatch —

Lifecycle

10 Jul 2023Published on NVD

04 Aug 2023Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.

Affected products

Unknown · EventON

public PoCs found — 3

cve_referencepacketstormsecurity.com/files/173984/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.htmlunverified cve_referencewpscan.com/vulnerability/e9ef793c-e5a3-4c55-beee-56b0909f7a0dunverified exploitdbwww.exploit-db.com/exploits/51658unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/173984/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html https://wpscan.com/vulnerability/e9ef793c-e5a3-4c55-beee-56b0909f7a0d