EventON Lite WordPress Plugin Information Exposure Vulnerability

A vulnerability allowing information exposure has been identified in the EventON Lite plugin for WordPress, affecting all versions through 2.4.6. The issue arises from insufficient restrictions on which posts can be accessed via the 'add_single_eventon' and 'add_eventon' shortcodes. This flaw enables unauthenticated attackers to retrieve data from password-protected, private, or draft posts that should otherwise be inaccessible.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information from restricted posts, including password-protected, private, or draft content.

Reproduction

The vulnerability can be reproduced by using the 'add_single_eventon' or 'add_eventon' shortcodes on a WordPress site with the EventON Lite plugin version 2.4.6 or earlier. The shortcodes can be added to a post or page, which will then access and display data from restricted posts that the attacker should not have permission to view.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.