CVE-2022-3891

2023-02-1315:15:14

[email protected]

web.nvd.nist.gov

wp fullcalendar

wordpress

plugin

cve-2022-3891

security vulnerability

unauthenticated access

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

32.1%

JSON

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.

Affected configurations

Vulners

NVD

Node

pixelitewp_fullcalendarRange<1.5

VendorProductVersionCPE
pixelitewp_fullcalendar*cpe:2.3:a:pixelite:wp_fullcalendar:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pixelite	wp_fullcalendar	*	cpe:2.3:a:pixelite:wp_fullcalendar::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WP FullCalendar",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.5"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]