CVE-2023-6158 - OpenCVE

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Myeventon	Eventon Eventon-lite

Configuration 1 [-]

OR	cpe:2.3:a:myeventon:eventon::::::wordpress::*
	cpe:2.3:a:myeventon:eventon-lite::::::wordpress::*

No data.

References

Link	Providers
https://docs.myeventon.com/documentations/eventon-changelog/
https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-01-10T14:32:07.924Z

Updated: 2024-08-02T08:21:17.674Z

Reserved: 2023-11-15T17:32:26.855Z

Link: CVE-2023-6158

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-10T15:15:10.167

Modified: 2024-01-17T17:36:01.273

Link: CVE-2023-6158

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6158", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-11-15T17:32:26.855Z", "datePublished": "2024-01-10T14:32:07.924Z", "dateUpdated": "2024-08-02T08:21:17.674Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-01-10T14:32:07.924Z"}, "affected": [{"vendor": "ashanjay", "product": "EventON", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "EventON", "product": "EventON Pro", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.5.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve"}, {"url": "https://docs.myeventon.com/documentations/eventon-changelog/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "timeline": [{"time": "2024-01-09T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.674Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve", "tags": ["x_transferred"]}, {"url": "https://docs.myeventon.com/documentations/eventon-changelog/", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:myeventon:eventon:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2EDE7CA5-2467-4B83-B8B5-9940A7CBD275", "versionEndIncluding": "4.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:myeventon:eventon-lite:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "131AC85C-5608-42D1-B684-C2844FA4119B", "versionEndIncluding": "2.2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection."}, {"lang": "es", "value": "El complemento EventON - WordPress Virtual Event Calendar Plugin para WordPress es vulnerable a modificaciones no autorizadas de datos y p\u00e9rdida de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n evo_eventpost_update_meta en todas las versiones hasta 4.5.4 (para Pro) y 2.2.7 incluida (gratis). Esto hace posible que atacantes no autenticados actualicen y eliminen metadatos de publicaciones arbitrarias. Tenga en cuenta que ciertos par\u00e1metros pueden permitir la inyecci\u00f3n de contenido."}], "id": "CVE-2023-6158", "lastModified": "2024-01-17T17:36:01.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-01-10T15:15:10.167", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://docs.myeventon.com/documentations/eventon-changelog/"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}