CVE-2024-0238: 
WordPress vulnerability analysis and mitigation

The EventON Premium WordPress plugin before 4.5.6 and EventON WordPress plugin before 2.2.8 contain a security vulnerability related to missing authorization in an AJAX action. The vulnerability was discovered in January 2024 and affects both the free and premium versions of the EventON plugin for WordPress (WPScan Advisory).

The vulnerability stems from a lack of proper authorization checks in an AJAX action, combined with insufficient validation of post ownership within the plugin. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-79 (Cross-site Scripting) (NVD).

This vulnerability allows unauthenticated users to update arbitrary post metadata. The impact is particularly severe as it could lead to Unauthenticated Stored XSS attacks due to lack of sanitization in the Free plugin before 2.7.7 and Premium before 4.5.5 (WPScan Advisory).

Users are advised to update their installations to EventON Premium version 4.5.6 or EventON Free version 2.2.8, which contain fixes for this vulnerability (WPScan Advisory).