4 matches found
CVE-2022-3891
The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...
CVE-2022-3891
The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...
CVE-2022-3891
The CVE-2022-3891 entry concerns the WP FullCalendar WordPress plugin (pre-1.5). The vulnerability arises from insufficient access control on an AJAX endpoint, allowing unauthenticated attackers to retrieve content from arbitrary posts, including draft, private, or password-protected ones. Impact...
WordPress WP FullCalendar Plugin <= 1.4.1 is vulnerable to Broken Access Control
Software WP FullCalendar Type Plugin Vulnerable versions = 1.4.1 Fixed in 1.5 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2022-3891 Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID ab1743664bc8 Credits Lana Codes Required...