CVE-2024-3756

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

7.5HIGH

EPSS

0.3%

top 42.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown MF GIG Calendar MF GIG Calendar Project MF GIG Calendar

Timeline

PublishedMay 6

Description

The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/mf_gig_calendar1.2.1

▶NVDmf_gig_calendar_project/mf_gig_calendar1.2.1

🔴Vulnerability Details

CVEList

MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF↗2024-05-06

▶

GHSA

GHSA-8q98-72mq-w92m: The MF Gig Calendar WordPress plugin through 1↗2024-05-06

▶