CVE-2022-3891

Published: Feb 13, 2023Modified: Mar 21, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.

Affected (1)

Products: Pixelite: Wp Fullcalendar

Pixelite

1 product

Wp Fullcalendar

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pixelite Wp Fullcalendar	Before 1.5

References (2)

https://wpscan.com/vulnerability/5a69965d-d243-4d51-b7a4-d6f4b199abf1

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/5a69965d-d243-4d51-b7a4-d6f4b199abf1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.