WordPress Plugin Vulnerabilities

Spiffy Calendar < 4.9.1 - Subscriber+ Arbitrary Event Edition/Deletion via IDOR

Description

The plugin does not check that an event belongs to the user editing/deleting it, allowing any authenticated users to delete arbitrary one via an IDOR attack

Affects Plugins

Plugin icon
spiffy-calendar
Fixed in 4.9.1

References

CVE
CVE-2022-29434

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Ex.Mi
Verified
Yes
WPVDB ID
f978af27-604e-4e43-abb6-3b87cc9dbef6

Timeline

Publicly Published
2022-02-10 (about 4 years ago)
Added
2022-05-21 (about 3 years ago)
Last Updated
2023-02-14 (about 3 years ago)

Other

Published
Title
Published
2026-03-10
Title
Happy Addons for Elementor < 3.21.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions
Published
2025-11-24
Title
Admin and Customer Messages After Order for WooCommerce: OrderConvo < 15 - Missing Authorization to Unauthenticated Information Disclosure
Published
2024-01-05
Title
Profile Builder < 3.10.8 - Contributor+ User Metadata Disclosure
Published
2024-11-12
Title
BuddyPress Builder for Elementor – BuddyBuilder < 1.8.0 - Contributor+ Post Disclosure
Published
2025-01-10
Title
RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Post Disclosure