PT-2023-7555 · WordPress · Wordpress Calendar Plugin

Joshua Martinelle

Publicado

2023-11-30

Atualizado

2024-02-27

CVE-2023-6360

CVSS v3.1

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions My Calendar WordPress Plugin version < 3.4.22

Description The issue is related to an unauthenticated SQL injection vulnerability. This vulnerability is present in the from and to parameters in the "/my-calendar/v1/events" rest route. It allows a remote attacker to execute arbitrary SQL queries to the database.

Recommendations For My Calendar WordPress Plugin version < 3.4.22, update to version 3.4.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/my-calendar/v1/events" API endpoint until a patch is available. Avoid using the from and to parameters in the affected API endpoint until the issue is resolved.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

BDU:2023-08610

CVE-2023-6360

Produtos afetados

Wordpress Calendar Plugin

PT-2023-7555 · WordPress · Wordpress Calendar Plugin

CVE-2023-6360

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8