CVE-2024-6180

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6180
The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset/3121634/eventon-lite/trunk/includes/admin/class-admin-ajax.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c57-eaa41c9a1829?source=cve
https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/assets/js/admin/wp_admin.js#L714
https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/class-calendar-event-structure.php#L590
https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c57-eaa41c9a1829?source=cve
Configurations

No configuration.

History

08 Apr 2026, 17:19

Type Values Removed Values Added
References
  • () https://plugins.trac.wordpress.org/changeset/3121634/eventon-lite/trunk/includes/admin/class-admin-ajax.php -
CWE CWE-862

21 Nov 2024, 09:49

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/assets/js/admin/wp_admin.js#L714 - () https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/assets/js/admin/wp_admin.js#L714 -
References () https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/class-calendar-event-structure.php#L590 - () https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/class-calendar-event-structure.php#L590 -
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c57-eaa41c9a1829?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/12f3dc64-322d-4015-8c57-eaa41c9a1829?source=cve -

09 Jul 2024, 18:19

Type Values Removed Values Added
Summary
  • (es) El complemento EventON para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la acción ajax 'eventon_import_settings' en todas las versiones hasta la 2.2.15 incluida. Esto hace posible que atacantes no autenticados actualicen la configuración del complemento, incluida la adición de Cross Site Scripting almacenado a las opciones de configuración que se muestran en las páginas del calendario de eventos.

09 Jul 2024, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-09 08:15

Updated : 2026-04-08 17:19

NVD link : CVE-2024-6180

Mitre link : CVE-2024-6180

CVE.ORG link : CVE-2024-6180

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization