CVE-2022-38067 – WordPress Event Calendar – Calendar plugin <= 1.4.6 - Unauthenticated Event Deletion vulnerability
https://notcve.org/view.php?id=CVE-2022-38067
Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de Eliminación de Eventos no Autenticada en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress lacks authorization and capability checks on several of its functions reachable via AJAX actions in versions up to, and including, 1.4.6. This makes it possible for unauthenticated attackers to edit, clone, and delete events. • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-unauthenticated-event-deletion-vulnerability/_s_id=cve https://wordpress.org/plugins/calendar-event • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-36390 – WordPress Event Calendar – Calendar plugin <= 1.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-36390
Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de tipo cross-Site Scripting (XSS) Reflejado y Autenticado (suscriptor+) en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-authenticated-reflected-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/calendar-event/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •