cbcvebase.
CVE-2023-6360
published 2023-11-30

CVE-2023-6360: The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.14%
99.1th percentile
The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.

Affected

1 ranges
VendorProductVersion rangeFixed in
joedolsonmy_calendar< 3.4.223.4.22

Detection & IOCsextracted from sources · hover to see the quote

url/my-calendar/v1/events
sigma
title: CVE-2023-6360 My Calendar SQLi
detection:
  selection:
    url|contains: '/my-calendar/v1/events'
  condition: selection
  • Monitor HTTP requests (GET/POST) to the REST API endpoint '/my-calendar/v1/events' for SQL injection payloads in the 'from' and 'to' query parameters (e.g., single quotes, UNION SELECT, sleep/benchmark functions).
  • No authentication is required to exploit this vulnerability; alert on any anomalous or malformed values in the 'from' and 'to' parameters of the My Calendar REST route regardless of session/auth context.
  • ·The YARA/detection rule digest provided in the source is a signed artifact; verify rule integrity against the embedded digest before deployment.
  • ·Vulnerability affects My Calendar plugin versions strictly below 3.4.22; ensure version-based detection or blocking is scoped to < 3.4.22 to avoid false positives on patched installations.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.