Events Addon for Elementor < 2.1.3 – Cross-Site Request Forgery | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the naevents_bw_settings_save_func(), naevents_bw_toggle_submit_func(), naevents_pro_settings_save_func(), naevents_pro_toggle_submit_func() and naevents_uw_settings_save_func() functions. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

events-addon-for-elementor

Fixed in 2.1.3

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5256ef2b-e1fc-4746-b35e-07a265f47f95

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

b99c5e59-233f-41e7-9bd3-e8d38d35f531

Timeline

Publicly Published

2023-11-14 (about 6 months ago)

Added

2024-01-17 (about 4 months ago)

Last Updated

2024-01-17 (about 4 months ago)

Other

Published

Title

Published

2023-10-21

Title

Serial Numbers for WooCommerce – License Manager < 1.6.4 - Arbitrary Settings Update via CSRF

Published

2023-05-18

Title

Performance Lab < 2.3.0 - CSRF

Published

2021-07-27

Title

uListing < 2.0.6 - Modify User Roles via CSRF

Published

2023-03-14

Title

LOGIN AND REGISTRATION ATTEMPTS LIMIT <= 2.1 - Cross-Site Request Forgery (CSRF)

Published

2023-10-06

Title

Blog Manager Light <= 1.20 - Settings Update via CSRF