{"id":2612,"date":"2024-01-09T20:55:24","date_gmt":"2024-01-09T20:55:24","guid":{"rendered":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/"},"modified":"2024-01-09T20:55:24","modified_gmt":"2024-01-09T20:55:24","slug":"eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/","title":{"rendered":"EventON – Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings"},"content":{"rendered":"
El plugin EventON – Plugin de Calendario Virtual de Eventos para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, 4.5.4 (Pro) & 2.2.8 (Free). Esto se debe a una validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n save_virtual_event_settings. Esto permite a atacantes no autenticados modificar la configuraci\u00f3n de eventos virtuales a trav\u00e9s de una solicitud falsificada, siempre y cuando puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace.<\/div>\n

<\/p>\n

El plugin EventON – Plugin de Calendario Virtual de Eventos para WordPress es una herramienta popular utilizada para gestionar eventos en el sitio web de WordPress. Sin embargo, la falta de validaci\u00f3n adecuada en la funci\u00f3n save_virtual_event_settings puede permitir a un atacante sin autenticar realizar una solicitud falsificada y modificar la configuraci\u00f3n de eventos virtuales sin el conocimiento del administrador del sitio.<\/p>\n

La Cross-Site Request Forgery (CSRF) es una vulnerabilidad que permite a un atacante forzar a un usuario autenticado a realizar acciones no deseadas sin su conocimiento o consentimiento. En este caso, un atacante puede aprovechar esta vulnerabilidad para modificar la configuraci\u00f3n de eventos virtuales en el sitio web objetivo.<\/p>\n

Para subsanar este problema, se recomienda actualizar el plugin EventON a la \u00faltima versi\u00f3n disponible, ya que los desarrolladores han solucionado este problema en versiones posteriores a 4.5.4 (Pro) y 2.2.8 (Free). Adem\u00e1s, los administradores del sitio deben tener cuidado al hacer clic en enlaces sospechosos o no verificados, especialmente si provienen de fuentes no confiables.<\/p><\/div>\n

La falta de validaci\u00f3n adecuada en la funci\u00f3n save_virtual_event_settings del plugin EventON – Plugin de Calendario Virtual de Eventos para WordPress crea una vulnerabilidad de Cross-Site Request Forgery (CSRF). Sin embargo, los usuarios pueden protegerse actualizando el plugin a la \u00faltima versi\u00f3n disponible y teniendo precauci\u00f3n al hacer clic en enlaces sospechosos. Al tomar estas medidas, los administradores del sitio pueden mitigar el riesgo de ser v\u00edctimas de este tipo de ataque.<\/div>\n","protected":false},"excerpt":{"rendered":"

El plugin EventON – Plugin de Calendario Virtual de Eventos para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, 4.5.4 (Pro) & 2.2.8 (Free). Esto se debe a una validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n save_virtual_event_settings. Esto permite a atacantes no autenticados modificar la configuraci\u00f3n […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[351],"class_list":["post-2612","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2023-6244"],"yoast_head":"\nEventON - Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EventON - Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"El plugin EventON – Plugin de Calendario Virtual de Eventos para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, 4.5.4 (Pro) & 2.2.8 (Free). Esto se debe a una validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n save_virtual_event_settings. Esto permite a atacantes no autenticados modificar la configuraci\u00f3n […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-09T20:55:24+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/\",\"url\":\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/\",\"name\":\"EventON - Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-01-09T20:55:24+00:00\",\"dateModified\":\"2024-01-09T20:55:24+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"EventON – Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"EventON - Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/","og_locale":"en_US","og_type":"article","og_title":"EventON - Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings - SeguridadWordPress.es","og_description":"El plugin EventON – Plugin de Calendario Virtual de Eventos para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, 4.5.4 (Pro) & 2.2.8 (Free). Esto se debe a una validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n save_virtual_event_settings. Esto permite a atacantes no autenticados modificar la configuraci\u00f3n […]","og_url":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-01-09T20:55:24+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/","url":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/","name":"EventON - Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-01-09T20:55:24+00:00","dateModified":"2024-01-09T20:55:24+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/eventon-plugin-de-calendario-virtual-de-eventos-para-wordpress-4-5-4-pro-2-2-8-free-cross-site-request-forgery-a-traves-de-save_virtual_event_settings\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"EventON – Plugin de Calendario Virtual de Eventos para WordPress <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery a trav\u00e9s de save_virtual_event_settings"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2612"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=2612"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2612\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=2612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=2612"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=2612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}