WordPress Plugin Vulnerabilities

Event Calendar < 1.4.7 - Unauthenticated Arbitrary Event Deletion

Description

The plugin does not have authorisation check when deleting events, which could allow unauthenticated attackers to delete them

Affects Plugins

Plugin icon
calendar-event
Fixed in 1.4.7

References

CVE
CVE-2022-38067

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Nguy Minh Tuan
Verified
No
WPVDB ID
3566fa3b-cd94-4d62-b0af-7b221cfa677b

Timeline

Publicly Published
2022-08-25 (about 3 years ago)
Added
2022-09-15 (about 3 years ago)
Last Updated
2022-10-04 (about 3 years ago)

Other

Published
Title
Published
2023-11-21
Title
UserPro < 5.1.2 - Missing Authorization via multiple functions
Published
2024-05-06
Title
WP Post Author < 3.7.5 - Missing Authorization
Published
2024-12-14
Title
Torod – The smart shipping and delivery portal for e-shops and retailers < 1.8 - Missing Authorization to Unauthenticated Plugin Settings Update
Published
2024-05-07
Title
weDocs < 2.1.5 - Missing Authorization
Published
2025-01-24
Title
ElementInvader Addons for Elementor < 1.3.2 - Missing Authorization