CVE-2022-29434

Published: May 20, 2022Modified: Feb 20, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

Affected (1)

Products: Spiffyplugins: Spiffy Calendar

Spiffyplugins

1 product

Spiffy Calendar

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Spiffyplugins Spiffy Calendar	Up to 4.9.0

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-edit-delete-event-via-idor-vulnerability

Source: audit@patchstack.com

Release NotesThird Party Advisory

https://wordpress.org/plugins/spiffy-calendar/#developers

Source: audit@patchstack.com

ProductRelease Notes

https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-edit-delete-event-via-idor-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://wordpress.org/plugins/spiffy-calendar/#developers

Source: af854a3a-2127-422b-91ae-364da2661108

ProductRelease Notes

Timeline

No history available yet.