CVE-2024-0236: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin before version 4.5.5 and EventON Lite WordPress plugin before version 2.2.8 contain a missing authorization vulnerability in an AJAX action. The vulnerability was discovered on January 10, 2024, and was assigned CVE-2024-0236 (WPScan, NVD).

The vulnerability stems from a lack of proper authorization checks in an AJAX action, which allows unauthenticated users to retrieve the settings of arbitrary virtual events, including sensitive information such as meeting passwords (for example, Zoom meeting credentials). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

The vulnerability allows unauthorized users to access sensitive virtual event settings, including meeting passwords. This could potentially lead to unauthorized access to private virtual events and meetings, compromising the confidentiality of these sessions (WPScan).

The vulnerability has been fixed in EventON version 4.5.5 and EventON Lite version 2.2.8. Users are advised to update their installations to these or later versions to mitigate the security risk (WPScan).