CVE-2023-6360 Scanner

Vulnerability Overview

CVE Identifier: CVE-2023-6360

Vulnerable Component: WordPress My Calendar plugin

Parameters Affected: 'from' and 'to' parameters in '/my-calendar/v1/events' REST route

Issue: Unauthenticated SQL Injection

Vulnerability Details

The vulnerability stems from a lack of proper sanitization of the 'from' and 'to' parameters within the '/my-calendar/v1/events' REST route. Attackers can exploit this oversight by crafting malicious requests that manipulate the SQL query, potentially leading to unauthorized database access, information disclosure, or database manipulation.

Possible Effects

An exploitation of this vulnerability could lead to significant impacts on an organization, including unauthorized access to sensitive data, manipulation of calendar events, and potentially compromising the entire WordPress site. It may also serve as a gateway for more sophisticated attacks against the website's users or infrastructure.

Why Choose SecurityForEveryone

SecurityForEveryone provides a user-friendly platform that simplifies the process of scanning for and understanding various vulnerabilities. By becoming a member, you gain access to a suite of tools designed to enhance your website's security posture. Our scanners are updated regularly to detect the latest vulnerabilities, ensuring your site remains protected against evolving threats. Join us to make cybersecurity accessible and manageable.

References

• Tenable Research - TRA-2023-40
• Joe Dolson's Security Release Notice
• WordPress Plugin Repository
• NVD - CVE-2023-6360