CVE-2023-6158
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/01/2024
Last modified:
03/06/2025
Description
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:myeventon:eventon:*:*:*:*:*:wordpress:*:* | 4.5.4 (including) | |
| cpe:2.3:a:myeventon:eventon-lite:*:*:*:*:*:wordpress:*:* | 2.2.7 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://docs.myeventon.com/documentations/eventon-changelog/
- https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve
- https://docs.myeventon.com/documentations/eventon-changelog/
- https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve