CVE-2023-6360
published 2023-11-30CVE-2023-6360: The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.14%
99.1th percentile
The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joedolson | my_calendar | < 3.4.22 | 3.4.22 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
title: CVE-2023-6360 My Calendar SQLi
detection:
selection:
url|contains: '/my-calendar/v1/events'
condition: selection- →Monitor HTTP requests (GET/POST) to the REST API endpoint '/my-calendar/v1/events' for SQL injection payloads in the 'from' and 'to' query parameters (e.g., single quotes, UNION SELECT, sleep/benchmark functions). ↗
- →No authentication is required to exploit this vulnerability; alert on any anomalous or malformed values in the 'from' and 'to' parameters of the My Calendar REST route regardless of session/auth context. ↗
- ·The YARA/detection rule digest provided in the source is a signed artifact; verify rule integrity against the embedded digest before deployment.
- ·Vulnerability affects My Calendar plugin versions strictly below 3.4.22; ensure version-based detection or blocking is scoped to < 3.4.22 to avoid false positives on patched installations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x23q-f896-mvpf: The 'My Calendar' WordPress Plugin, version < 3
ghsa_unreviewed·2023-11-30
CVE-2023-6360 [HIGH] CWE-89 GHSA-x23q-f896-mvpf: The 'My Calendar' WordPress Plugin, version < 3
The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
VulnCheck
joedolson my_calendar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 8.6
CVE-2023-6360 [HIGH] joedolson my_calendar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
joedolson my_calendar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
Affected: joedolson my_calendar
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2023-6360
No detection rules found.
Nuclei
WordPress My Calendar <3.4.22 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-6360 [CRITICAL] WordPress My Calendar <3.4.22 - SQL Injection
WordPress My Calendar = 6'
condition: and
# digest: 4b0a00483046022100ba436f2657c8426c6514a07312d5f964c7a44cc3d265e83f0ecbd6146ef0885f02210081496da78b080200f6c7f751cf1b102657e240bb0959ec1f9c0deb535f87e9e8:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-11-30
Published
Exploited in the wild