CVE-2023-6242

Name of the Vulnerable Software and Affected Versions The EventON - WordPress Virtual Event Calendar Plugin versions 2.2.7 and earlier (for Free) The EventON - WordPress Virtual Event Calendar Plugin versions 4.5.4 and earlier (for Pro)

Description The issue is due to missing or incorrect nonce validation on the evo eventpost update meta function, making it possible for unauthenticated attackers to update arbitrary post metadata via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions 2.2.7 and earlier (for Free), update to a version later than 2.2.7 to resolve the issue. For versions 4.5.4 and earlier (for Pro), update to a version later than 4.5.4 to resolve the issue. As a temporary workaround, consider disabling the evo eventpost update meta function until a patch is available.