CVE-2024-4752: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin versions before 2.2.15 contains a stored Cross-Site Scripting (XSS) vulnerability that affects the event subtitle functionality. The vulnerability was discovered and publicly disclosed on June 22, 2024, and affects high-privilege users such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of settings in the plugin, specifically in the event subtitle field. This security flaw could allow high-privilege users to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (WPScan).

The vulnerability allows high-privilege users to inject and store malicious JavaScript code through the event subtitle field, which could then be executed when other users view the affected pages. This could potentially lead to unauthorized actions being performed on behalf of other authenticated users (WPScan).

The vulnerability has been fixed in EventON version 2.2.15. Users are advised to update to this version or later to mitigate the security risk (WPScan).