CVE-2022-3891: WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access
First published: Mon Feb 13 2023(Updated: )
The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pixelite WP FullCalendar | <1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-3891?
CVE-2022-3891 has a medium severity rating due to the potential exposure of private content.
How do I fix CVE-2022-3891?
To fix CVE-2022-3891, update the WP FullCalendar plugin to version 1.5 or later.
What type of attack can be executed using CVE-2022-3891?
CVE-2022-3891 allows unauthenticated attackers to retrieve content from arbitrary posts, including draft and private posts.
Which versions are affected by CVE-2022-3891?
CVE-2022-3891 affects all versions of the WP FullCalendar plugin prior to version 1.5.
Can authenticated users be impacted by CVE-2022-3891?
Yes, authenticated users can be impacted if they are able to exploit the vulnerability to access unauthorized content.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/author
- agent/title
- agent/severity
- agent/weakness
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pixelite
- canonical/pixelite wp fullcalendar