CVE-2024-0238: EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update

Description

The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.

Classification

CVE ID: CVE-2024-0238

Problem Types

CWE-862 Missing Authorization

Affected Products

Vendor: Unknown

Product: EventON Premium, EventON

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.73% (probability of being exploited)

EPSS Percentile: 71.48% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0238
https://wpscan.com/vulnerability/774655ac-b201-4d9f-8790-9eff8564bc91/

Timeline

2025-06-02 16:40:11 UTC
CVE

EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update