CVE-2023-3219
Published: 10 July 2023
Summary
CVE-2023-3219 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Myeventon Eventon. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The EventON WordPress plugin before version 2.1.2 contains an insecure direct object reference vulnerability (CWE-639) in the eventon_ics_download AJAX action. The plugin fails to validate that the supplied event_id parameter corresponds to a legitimate Event post type, enabling any numeric post identifier to be passed to the ICS export functionality.
Unauthenticated remote attackers can exploit the flaw by issuing crafted requests to the AJAX endpoint with arbitrary post IDs. Successful exploitation grants read access to the full content of any post, including drafts, private, or otherwise protected entries that would normally be inaccessible.
Public disclosures on WPScan and Packet Storm document the issue and provide proof-of-concept requests; the vendor addressed the vulnerability by releasing version 2.1.2, which adds proper validation of the event_id parameter. The associated EPSS score reached a peak of 0.7763, indicating measurable post-disclosure interest in the flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-43897
Vulnerability details
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality…
more
by providing the numeric id of the post.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.