Eventin WordPress Plugin Unauthorized Data Modification Vulnerability Allowing Stored Cross-Site Scripting

A vulnerability exists in the Eventin WordPress plugin, specifically in the Event Manager, Events Calendar, Event Tickets and Registrations components, all versions through 4.0.51. The issue arises from a missing capability check in the 'post_settings' function, allowing unauthenticated users to modify plugin settings. Additionally, inadequate input sanitization and output escaping for the 'etn_primary_color' setting enable the injection of arbitrary web scripts, which could execute when a user visits a page with Eventin styles.

Impact

Exploitation of this vulnerability could lead to unauthorized data modification and stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

The vulnerability can be reproduced by sending a request to the 'post_settings' function without the necessary authorization. This can be done by an unauthenticated user, who can then modify plugin settings. To exploit the cross-site scripting aspect, inject a script into the 'etn_primary_color' setting, which will be executed when Eventin styles are loaded on a page.

Remediation

Users are advised to update the Eventin WordPress plugin to version 4.0.52 or later.