CVE-2023-2796: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin before version 2.1.2 contains a vulnerability identified as CVE-2023-2796. The vulnerability stems from a lack of authentication and authorization in the eventonicsdownload ajax action, which allows unauthenticated visitors to access private and password-protected Events by guessing their numeric ID. This vulnerability affects both eventon-lite (fixed in 2.1.2) and eventON (fixed in 4.4) versions (WPScan).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The exploit can be triggered through the WordPress admin-ajax endpoint using the parameter action=eventonicsdownload with an event_id value (WPScan, NVD).

The vulnerability allows unauthorized access to private and password-protected events within the EventON calendar system. This could lead to the exposure of sensitive event information that was intended to be restricted (WPScan).

Users should upgrade to EventON version 4.4 or later, or EventON Lite version 2.1.2 or later to address this vulnerability (WPScan).