Cyber Resilience

CVE-2023-3219

MediumPublic PoC

Published: 10 July 2023

Published
10 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.7471 98.9th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3219 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Myeventon Eventon. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The EventON WordPress plugin before version 2.1.2 contains an insecure direct object reference vulnerability (CWE-639) in the eventon_ics_download AJAX action. The plugin fails to validate that the supplied event_id parameter corresponds to a legitimate Event post type, enabling any numeric post identifier to be passed to the ICS export functionality.

Unauthenticated remote attackers can exploit the flaw by issuing crafted requests to the AJAX endpoint with arbitrary post IDs. Successful exploitation grants read access to the full content of any post, including drafts, private, or otherwise protected entries that would normally be inaccessible.

Public disclosures on WPScan and Packet Storm document the issue and provide proof-of-concept requests; the vendor addressed the vulnerability by releasing version 2.1.2, which adds proper validation of the event_id parameter. The associated EPSS score reached a peak of 0.7763, indicating measurable post-disclosure interest in the flaw.

EU & UK References

Vulnerability details

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality…

more

by providing the numeric id of the post.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

myeventon
eventon
≤ 2.1.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References