Reflected XSS Vulnerability in Spiffy Calendar
CVE-2024-30427

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Spiffy Calendar
Vendor: CVE Published:; 29 March 2024

What is CVE-2024-30427?

A reflected Cross-site Scripting (XSS) vulnerability exists in the Spiffy Calendar plugin developed by Spiffy Plugins. This vulnerability is due to improper neutralization of user input during the web page generation process. Attackers can exploit this flaw to inject malicious scripts into web pages viewed by unsuspecting users, potentially leading to unauthorized access to sensitive information or session hijacking. The issue affects all versions of Spiffy Calendar from n/a through 4.9.7, emphasizing the need for immediate remediation to secure web applications using this plugin.

Affected Version(s)

Spiffy Calendar <= 4.9.7

References

https://patchstack.com/database/vulnerability/spiffy-cale...

vdb-entry

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 29, 2024
Vulnerability Reserved
Mar 27, 2024

Credit

Dimas Maulana (Patchstack Alliance)