CVE-2024-0855 – Spiffy Calendar < 4.9.9 - Broken Access Control

https://notcve.org/view.php?id=CVE-2024-0855

The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+. El complemento Spiffy Calendar de WordPress anterior a 4.9.9 no verifica el parámetro event_author y permite a cualquier usuario modificarlo al crear un evento, lo que lleva a engañar a los usuarios/administradores de que una página fue creada por un Contributor+. The Spiffy Calendar plugin for WordPress is vulnerable to unauthorized modification of data due insufficient restrictions on the event_author parameter in all versions up to, and including, 4.9.8. This makes it possible for authenticated attackers, with contributor-level access and above, to make an event appear as though it was created by another user. • https://wpscan.com/vulnerability/5d5da91e-3f34-46b0-8db2-354a88bdf934 • CWE-863: Incorrect Authorization •