CVE-2024-0233: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin versions before 4.5.5 and EventON Lite WordPress plugin versions before 2.2.7 contain a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on January 10, 2024, and was assigned CVE-2024-0233 (WPScan Advisory).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in pages. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output) (NVD Database).

The vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows for reflected cross-site scripting attacks, potentially leading to unauthorized actions being performed in the context of the administrator's session (WPScan Advisory).

Users are advised to update to EventON version 4.5.5 or later, or EventON Lite version 2.2.8 or later to address this vulnerability (WPScan Advisory).