CVE-2022-29434 – WordPress Spiffy Calendar plugin <= 4.9.0 - Edit/Delete event via IDOR vulnerability
https://notcve.org/view.php?id=CVE-2022-29434
Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events. Una vulnerabilidad de Referencias Directas a Objetos Inseguras (IDOR) en el plugin Spiffy Calendar de Spiffy versiones anteriores a 4.9.0 incluyéndola, en WordPress permite a un atacante editar o borrar eventos • https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-edit-delete-event-via-idor-vulnerability https://wordpress.org/plugins/spiffy-calendar/#developers • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2022-25599 – WordPress Spiffy Calendar plugin <= 4.9.0 - Event deletion via Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-25599
Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0). Se ha detectado una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) conllevando a una eliminación de eventos en el plugin Spiffy Calendar de WordPress (versiones anteriores a 4.9.0 incluyéndola) • https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-event-deletion-via-cross-site-request-forgery-csrf-vulnerability https://wordpress.org/plugins/spiffy-calendar/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •