CVE-2024-0237: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin through version 4.5.8 and EventON WordPress plugin before version 2.2.7 contain a missing authorization vulnerability (CVE-2024-0237). The vulnerability was discovered and disclosed on January 10, 2024, affecting the EventON plugin for WordPress content management system. The issue impacts both the free and premium versions of the plugin (WPScan Advisory).

The vulnerability stems from missing authorization checks in certain AJAX actions within the plugin. This security flaw allows unauthenticated users to update virtual events settings, including sensitive information such as meeting URLs, moderator details, and access credentials. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) and is classified as CWE-862 (Missing Authorization) (NVD).

If exploited, this vulnerability allows unauthorized users to modify virtual event settings without authentication. Attackers can alter meeting URLs, change moderator assignments, and modify access details for virtual events. This could lead to unauthorized access to virtual events and potential disruption of scheduled online meetings (WPScan Advisory).

The vulnerability has been patched in EventON version 4.5.9 for the premium plugin and version 2.2.9 for the free version. Users are strongly advised to update to these versions or later. While version 4.5.8 added capability and CSRF checks, the nonce verification was flawed, still allowing the issue to be exploited via CSRF (WPScan Advisory).