Eventin WordPress Plugin Privilege Escalation Vulnerability via Email Change

A privilege escalation vulnerability allowing account takeover has been identified in the Eventin plugin for WordPress, affecting all versions through 4.0.34. The issue arises because the plugin fails to properly validate a user's identity or capabilities before allowing changes to user details, such as email addresses, in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This vulnerability enables unauthenticated attackers with contributor-level or higher permissions to alter the email addresses of any user, including administrators. Exploiting this flaw could facilitate a password reset, granting access to the targeted account.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts, including those of administrators, by allowing attackers to change email addresses and reset passwords.

Reproduction

To reproduce this vulnerability, an attacker with a contributor role or higher can send a request to the WordPress REST API endpoint for updating speaker information. The request must include the ID of the user whose email is to be changed and the new email address. The 'update_item' function in the 'SpeakerController' will process the request without proper validation, allowing the email change to occur.

Remediation

Users are advised to update the Eventin WordPress plugin to version 4.0.35 or later.