Lucene search
Cyc707WPEX-ID:5D5DA91E-3F34-46B0-8DB2-354A88BDF934HistoryFeb 02, 2024 - 12:00 a.m.
Spiffy Calendar < 4.9.9 - Broken Access Control
2024-02-0200:00:00
cyc707
139
spiffy calendar
broken access control
contributor+ account
proxy interceptor
burp suite
event creation
parameter change
admin id exploit
Description The plugin doesn’t check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.
Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event.
Change the event_location parameter name in the request to event_author, and feed it an ID of an admin (example ID 1).
Submit the request, and the event will be created, reflecting that it was created by X admin (the username of the ID used in step 2).Related
prion
prion
Code injection
2024-02-27 09:15:00
wpvulndb
wpvulndb
Spiffy Calendar < 4.9.9 - Broken Access Control
2024-02-02 00:00:00
cvelist
cvelist
CVE-2024-0855 Spiffy Calendar < 4.9.9 - Broken Access Control
2024-02-27 08:30:29
nvd
nvd
CVE-2024-0855
2024-02-27 09:15:37
cve
cve
CVE-2024-0855
2024-02-27 09:15:37
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Related for WPEX-ID:5D5DA91E-3F34-46B0-8DB2-354A88BDF934