WordPress Plugin Vulnerabilities

Spiffy Calendar < 4.9.2 - SQL Injection

Description

The plugin does not properly neutralize special elements used in an SQL command, leading to a potential SQL injection vulnerability.

Affects Plugins

Plugin icon
spiffy-calendar
Fixed in 4.9.2

References

CVE
CVE-2022-46859
URL
https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-1-auth-sql-injection-sqli-vulnerability

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Justiice
Verified
No
WPVDB ID
0e3cb37b-8218-4027-b3c8-a13ca5ab2629

Timeline

Publicly Published
2023-04-07 (about 3 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2025-07-08
Title
smart SEO <= 4.0 - Authenticated (Subscriber+) SQL Injection
Published
2020-11-24
Title
Media Library Assistant < 2.90 - Authenticated Blind SQL Injection
Published
2025-11-07
Title
Quick Featured Images < 13.7.4 - Authenticated (Editor+) SQL Injection via delete_orphaned
Published
2020-05-19
Title
Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection
Published
2025-07-03
Title
GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via dirGZActiveForm()