Spiffy Calendar < 4.9.9 – Broken Access Control | CVE 2024-0855 | Plugin Vulnerabilities

Description

The plugin doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.

Proof of Concept

Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event.
Change the event_location parameter name in the request to event_author, and feed it an ID of an admin (example ID 1).
Submit the request, and the event will be created, reflecting that it was created by X admin (the username of the ID used in step 2).

Affects Plugins

spiffy-calendar

Fixed in 4.9.9

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

cyc707

Submitter

cyc707

Verified

Yes

WPVDB ID

5d5da91e-3f34-46b0-8db2-354a88bdf934

Timeline

Publicly Published

2024-01-12 (about 1 year ago)

Added

2024-02-02 (about 1 year ago)

Last Updated

2024-02-02 (about 1 year ago)

Other

Published

Title

Published

2021-09-29

Title

Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload

Published

2024-03-12

Title

Awesome Support < 6.1.7 - Insufficient Authorization via wpas_can_delete_attachments()

Published

2024-09-04

Title

SmartSearchWP < 2.4.6 - Unauthenticated OpenAI Key Disclosure

Published

2021-10-04

Title

Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update

Published

2024-01-29

Title

Avada < 7.11.2 - Subscriber+ Portfolio Permalinks Creation