The Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin for WordPress suffers from a missing authorization check (CWE-862) in its 'post_settings' function, present in all versions up to and including 4.0.51. This flaw allows unauthenticated attackers to modify plugin settings remotely because the plugin fails to verify user capabilities before processing setting changes. Furthermore, the 'etn_primary_color' setting lacks proper input sanitization and output escaping, enabling attackers to inject arbitrary JavaScript code. When a user visits any page loading Eventin styles, the injected script executes in their browser context, resulting in a stored cross-site scripting (XSS) vulnerability. The vulnerability has a CVSS 3.1 base score of 7.2, reflecting its network exploitability without privileges or user interaction, and its impact on confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability affects all versions of the plugin, which is widely used for event management on WordPress sites, making it a critical concern for website administrators.

This vulnerability poses a significant risk to organizations using the Eventin plugin on WordPress sites. Unauthorized modification of plugin settings can lead to misconfiguration, enabling further attacks or disruption of event management functionalities. The stored XSS component allows attackers to execute arbitrary scripts in the browsers of site visitors, potentially leading to session hijacking, credential theft, or distribution of malware. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the attack surface. The compromise of event management systems can disrupt business operations, damage reputation, and expose sensitive user data. Additionally, the scope change in the CVSS vector indicates that the vulnerability affects resources beyond the vulnerable component, potentially impacting other parts of the website or connected systems.

Organizations should immediately audit their WordPress installations for the presence of the Eventin plugin and verify the version in use. Since no official patch links are currently available, administrators should consider temporarily disabling the plugin or restricting access to the affected functionality via web application firewall (WAF) rules that block unauthorized POST requests to the 'post_settings' endpoint. Input validation and output encoding can be enforced at the application or server level to mitigate XSS risks. Monitoring web server logs for suspicious requests targeting Eventin settings can help detect exploitation attempts. Administrators should also educate users about the risks of visiting compromised pages and ensure regular backups are in place. Once a vendor patch is released, prompt updating to a fixed version is critical. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of injected scripts.