CVE-2023-6158

Name of the Vulnerable Software and Affected Versions The EventON - WordPress Virtual Event Calendar Plugin versions 2.2.7 and earlier (for free) The EventON - WordPress Virtual Event Calendar Plugin versions 4.5.4 and earlier (for Pro)

Description The issue is related to a missing capability check on the evo eventpost update meta function, allowing unauthenticated attackers to update and remove arbitrary post metadata. This could potentially lead to unauthorized modification of data and loss of data. Certain parameters may also allow for content injection.

Recommendations For versions 2.2.7 and earlier (for free), update to a version later than 2.2.7 to resolve the issue. For versions 4.5.4 and earlier (for Pro), update to a version later than 4.5.4 to resolve the issue. As a temporary workaround, consider restricting access to the evo eventpost update meta function until a patch is available.