WordPress Plugin Vulnerabilities

Spiffy Calendar < 4.9.11 - Missing Authorization

Description

The Spiffy Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the admin_menu_output() function in versions up to, and including, 4.9.10. This makes it possible for authenticated attackers, with contributor-level access and above, to update an option.

Affects Plugins

Plugin icon
spiffy-calendar
Fixed in 4.9.11

References

CVE
CVE-2024-30528
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/114e8ba9-b6b0-4b54-982c-8e9efaa616c7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
75b0fdb6-353e-4a8b-8d8b-e7f057d25da5

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-03 (about 1 year ago)
Last Updated
2024-04-03 (about 1 year ago)

Other

Published
Title
Published
2025-10-23
Title
Quickcreator – AI Blog Writer 0.0.9 - 0.1.17 - Unauthenticated API Key Exposure
Published
2025-03-18
Title
FoodBakery | Delivery Restaurant Directory WordPress Theme < 4.8 - Missing Authorization in Multiple Functions
Published
2025-04-17
Title
JetElements For Elementor < 2.7.4.2 - Missing Authorization
Published
2026-03-20
Title
WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover
Published
2025-05-22
Title
Booking and Rental Manager < 2.3.9 - Missing Authorization