CVE-2023-6158
EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection. CVE-2024-0238 appears to be a duplicate of this issue.
| CWE | CWE-862 |
| Vendor | ashanjay |
| Product | eventon – events calendar |
| Published | Jan 10, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for ashanjay eventon – events calendar
Be the first to know when new medium vulnerabilities affecting ashanjay eventon – events calendar are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
ashanjay / EventON – Events Calendar
0 ≤ 2.2.7
EventON / EventON (Pro) - WordPress Virtual Event Calendar Plugin
0 ≤ 4.5.4
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea?source=cve docs.myeventon.com: https://docs.myeventon.com/documentations/eventon-changelog/ plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3017578/eventon-lite/trunk/includes/admin/class-admin-ajax.php
Credits
Francesco Carlucci