CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6203 – The Events Calendar < 6.2.8.1 - Unauthenticated Arbitrary Password Protected Post Read
https://notcve.org/view.php?id=CVE-2023-6203
The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request El complemento Events Calendar de WordPress anterior a 6.2.8.1 revela el contenido de publicaciones protegidas con contraseña a usuarios no autenticados a través de una solicitud manipulada The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.2.8 via the get_data function. This makes it possible for unauthenticated attackers to extract sensitive data including private post content, via the REST API. • https://wpscan.com/vulnerability/229273e6-e849-447f-a95a-0730969ecdae • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35777 – The Events Calendar <= 6.1.2.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-35777
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_ical_output_for_an_event() function in versions up to, and including, 6.1.2.2. This makes it possible for unauthenticated attackers to view arbitrary/private event content. • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15109 – The Events Calendar <= 4.8.1 - Cross-Site Scripting via tribe_paged Parameter
https://notcve.org/view.php?id=CVE-2019-15109
The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter. El plugin the-events-calendar versiones anteriores a 4.8.2 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro de URL tribe_paged. The Events Calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter. • https://wordpress.org/plugins/the-events-calendar/#developers https://wpvulndb.com/vulnerabilities/9554 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •