Description The plugin doesn’t check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.
Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event. Change the event_location parameter name in the request to event_author, and feed it an ID of an admin (example ID 1). Submit the request, and the event will be created, reflecting that it was created by X admin (the username of the ID used in step 2).
CPE | Name | Operator | Version |
---|---|---|---|
eq | 4.9.9 |