S4E

CVE-2023-6360 Scanner

Detects 'SQL Injection (SQLi)' vulnerability in My Calendar plugin for WordPress affects v. before 3.4.22.

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

4 weeks

Scan only one

URL

Toolbox

-

Vulnerability Overview

CVE Identifier: CVE-2023-6360

Vulnerable Component: WordPress My Calendar plugin

Parameters Affected: 'from' and 'to' parameters in '/my-calendar/v1/events' REST route

Issue: Unauthenticated SQL Injection

Vulnerability Details

The vulnerability stems from a lack of proper sanitization of the 'from' and 'to' parameters within the '/my-calendar/v1/events' REST route. Attackers can exploit this oversight by crafting malicious requests that manipulate the SQL query, potentially leading to unauthorized database access, information disclosure, or database manipulation.

Possible Effects

An exploitation of this vulnerability could lead to significant impacts on an organization, including unauthorized access to sensitive data, manipulation of calendar events, and potentially compromising the entire WordPress site. It may also serve as a gateway for more sophisticated attacks against the website's users or infrastructure.

Why Choose S4E

S4E provides a user-friendly platform that simplifies the process of scanning for and understanding various vulnerabilities. By becoming a member, you gain access to a suite of tools designed to enhance your website's security posture. Our scanners are updated regularly to detect the latest vulnerabilities, ensuring your site remains protected against evolving threats. Join us to make cybersecurity accessible and manageable.

References

Get started to protecting your Free Full Security Scan