The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
The Eventin WordPress plugin contains a critical authorization bypass allowing unauthenticated attackers to modify plugin settings and inject malicious scripts through unsanitized input. This vulnerability affects all versions up to 4.0.51 and can lead to website compromise and user data theft.
يحتوي مكون Eventin على ثغرة في التحقق من الصلاحيات تسمح للمهاجمين غير المصرح لهم بتعديل إعدادات المكون وحقن نصوص برمجية ضارة. تؤثر الثغرة على جميع الإصدارات حتى 4.0.51 وقد تؤدي إلى اختراق الموقع وسرقة بيانات المستخدمين.
The Eventin WordPress plugin contains a critical authorization bypass allowing unauthenticated attackers to modify plugin settings and inject malicious scripts through unsanitized input. This vulnerability affects all versions up to 4.0.51 and can lead to website compromise and user data theft.
Update the Eventin plugin to version 4.0.52 or later immediately. Implement Web Application Firewall (WAF) rules to block unauthorized POST requests to plugin settings endpoints. Review and audit all plugin settings for unauthorized modifications. Disable the plugin if immediate patching is not possible.
قم بتحديث مكون Eventin إلى الإصدار 4.0.52 أو أحدث فوراً. طبق قواعد جدار حماية تطبيقات الويب لحظر طلبات POST غير المصرح بها. راجع جميع إعدادات المكون للتحقق من التعديلات غير المصرح بها. عطل المكون إذا لم يكن التحديث الفوري ممكناً.