CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29434 – WordPress Spiffy Calendar plugin <= 4.9.0 - Edit/Delete event via IDOR vulnerability
https://notcve.org/view.php?id=CVE-2022-29434
Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events. Una vulnerabilidad de Referencias Directas a Objetos Inseguras (IDOR) en el plugin Spiffy Calendar de Spiffy versiones anteriores a 4.9.0 incluyéndola, en WordPress permite a un atacante editar o borrar eventos • https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-edit-delete-event-via-idor-vulnerability https://wordpress.org/plugins/spiffy-calendar/#developers • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25599 – WordPress Spiffy Calendar plugin <= 4.9.0 - Event deletion via Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-25599
Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0). Se ha detectado una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) conllevando a una eliminación de eventos en el plugin Spiffy Calendar de WordPress (versiones anteriores a 4.9.0 incluyéndola) • https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-event-deletion-via-cross-site-request-forgery-csrf-vulnerability https://wordpress.org/plugins/spiffy-calendar/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 39EXPL: 0CVE-2017-9420 – Spiffy Calendar < 3.3.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-9420
Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin Spiffy Calendar anterior a versión 3.3.0 para WordPress, permite a los atacantes remotos inyectar JavaScript arbitrario por medio del parámetro yr. • http://spiffycalendar.sunnythemes.com/version-3-3-0 http://www.securityfocus.com/bid/98931 https://wpvulndb.com/vulnerabilities/8842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •