MF Gig Calendar <= 1.2.1 – Arbitrary Event Deletion via CSRF | CVE 2024-3756 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack

Proof of Concept

Make a contributor or higher user open a link where <<EVENT_ID>> is a valid event:

https://example.com/wp-admin/admin.php?page=mf_gig_calendar&id=<<EVENT_ID>>&action=delete

Affects Plugins

mf-gig-calendar

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

b28d0dca-2df1-4925-be81-dd9c46859c38

Timeline

Publicly Published

2024-04-15 (about 1 year ago)

Added

2024-04-15 (about 1 year ago)

Last Updated

2024-04-15 (about 1 year ago)

Other

Published

Title

Published

2023-02-06

Title

Conversios.io < 5.2.4 - Settings Update via CSRF

Published

2025-04-09

Title

NewsBoard Post and RSS Scroller <= 1.2.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-07-17

Title

WooCommerce Brands < 1.6.50 - Cross-Site Request Forgery

Published

2024-03-28

Title

WP SMS < 6.6.3 - Cross-Site Request Forgery

Published

2022-10-31

Title

Restaurant Menu < 2.3.2 - Multiple CSRF