EventON Lite < 2.1.2 - Arbitrary File Download (CVE-2023-3219)

The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

该插件未验证其在eventon_ics_download AJAX操作中的event_id参数是否为有效的Event，导致未经身份验证的访客可以通过提供帖子的数字ID，通过ics导出功能访问任何帖子（包括未发布或受保护的帖子）的内容。