CVE-2023-7200: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin before version 4.4.1 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on January 5, 2024, and was assigned CVE-2023-7200. The issue affects all versions of the EventON WordPress plugin prior to version 4.4.1 (WPScan, NVD).

The vulnerability exists because the plugin does not properly sanitize and escape a parameter before outputting it back in the page. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When successfully exploited, this vulnerability could allow an attacker to execute cross-site scripting attacks against high-privilege users such as administrators. This could potentially lead to unauthorized actions being performed in the context of the administrator's session (WPScan).

The vulnerability has been fixed in EventON version 4.4.1. Users are advised to update to this version or later to mitigate the risk (WPScan).