WordPress Plugin Vulnerabilities

Spiffy Calendar < 4.9.1 - Arbitrary Event Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting events, allowing attacker to make a logged in admin delete arbitrary events via a CSRF attack

Affects Plugins

Plugin icon
spiffy-calendar
Fixed in 4.9.1

References

CVE
CVE-2022-25599

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
a53717aa-1204-4a35-9a83-c529aa8c51ad

Timeline

Publicly Published
2022-02-10 (about 4 years ago)
Added
2022-02-21 (about 4 years ago)
Last Updated
2022-04-10 (about 4 years ago)

Other

Published
Title
Published
2025-04-24
Title
Unsafe Mimetypes <= 0.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-04-12
Title
Zoho Campaigns < 2.0.8 - Cross-Site Request Forgery via zcwc_optin_save
Published
2025-12-05
Title
Add Custom Codes < 5.0 - Cross-Site Request Forgery
Published
2023-06-15
Title
WooCommerce Stock Manager < 2.11.0 - Cross-Site Request Forgery
Published
2026-02-11
Title
Busiprof <= 2.5.2 - Cross-Site Request Forgery