Vulnerability Description
The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3121634/eventon-lite/trunk/includes
- https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c5
- https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/assets/js/admin/wp
- https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c5
FAQ
What is CVE-2024-6180?
CVE-2024-6180 is a vulnerability with a CVSS score of 7.2 (HIGH). The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including,...
How severe is CVE-2024-6180?
CVE-2024-6180 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-6180?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.