Hello,
@ashanjay will check this ASAP. Thank you for letting us know!
Do you mind sharing the link @orbitbob because we are not able to find it online.
Thank you for your messages! @ashanjay will check this ASAP.
Hmm this doesn’t really tell exact location for this reported issue. We will keep an eye out for notices about exact codes that may cause vulnerabilities.
However we just released 2.4 version with several known issues addressed.
2.4 does not resolve this. The following is from Patchstack:
Risks
CVSS 8.8
This vulnerability is highly dangerous and expected to become mass exploited.8.8Local File Inclusion
This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration.
@ashanjay will check this ASAP. Thank you for letting us know!
Hello Friends! Thank you for letting us know of this. Usually these vendors contact us of known vulnerabilities, but we have not received any noticed from this vendor. This vendor is also withholding the exact details of this vulnerability with pricing plans to unlock that. — seems kind of strange.
We will do a general LFI (Local file inclusion) debuging again and get an update out soon!
@ashanjay is going to check this. Thank you!
Here is also the report from WordFence with a reference to patch stack:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/eventon-lite/eventon-24-unauthenticated-local-file-inclusion
It is marked as critical and version 2.4 doesn’t seem to address it. You need to take immediate action to resolve this as it is very crucial.
Hello friends, we are working on resolving this as this issue report does not mention any particular location where it is, we have reach out to the error reporter with no response.
We will run more tests and get a new version out hopefully this week.
Good news friend! Found where this LFI issue is coming from and we have already added necessary validations and sanitizations and we will release an update later today 🙂
Thank you @ashanjay, great news. Will be waiting for the update.
