CVE-2023-3219

Name of the Vulnerable Software and Affected Versions EventON WordPress plugin versions prior to 2.1.2

Description The issue is related to the eventon ics download ajax action in the EventON WordPress plugin, where the event id parameter is not properly validated, allowing unauthorized access to post content, including unpublished or protected posts, by providing the numeric id of the post. This can be exploited by unauthenticated visitors. The vulnerability is also described as an error in handling user-controlled authorization keys, which can allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the eventon ics download ajax action until a patch is available. Restrict access to the ics export functionality to minimize the risk of exploitation. Avoid using the event id parameter in the affected API endpoint until the issue is resolved.