The Events Calendar < 6.2.8.1 – Unauthenticated Arbitrary Password Protected Post Read | CVE 2023-6203

Description

The plugin discloses the content of password protected posts to unauthenticated users via a crafted request

Proof of Concept

Append "?view=single-event" to a password protected post, then view the source of the page and find the post content disclosed in <script type="application/ld+json">

Example: https://exmple.com/password-protected-post/?view=single-event

Affects Plugins

the-events-calendar

Fixed in 6.2.8.1

References

CVE

CVE-2023-6203

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

cert_polska_en

Verified

Yes

WPVDB ID

229273e6-e849-447f-a95a-0730969ecdae

Timeline

Publicly Published

2023-11-23 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-23 (about 2 years ago)

Other

Published

Title

Published

2024-11-27

Title

Contest Gallery < 24.0.8 - Unauthenticated Arbitrary Password Reset

Published

2024-10-15

Title

UltimateAI <= 2.8.3 - Limited User Password Reset

Published

2023-07-18

Title

OAuth Single Sign On – SSO (OAuth Client) < 6.23.4 - Improper Authentication

Published

2025-09-18

Title

Service Finder SMS System <= 2.0.0 - Authentication Bypass

Published

2024-09-03

Title

PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion