CVE-2024-0855: 
WordPress vulnerability analysis and mitigation

The Spiffy Calendar WordPress plugin before version 4.9.9 contains a broken access control vulnerability identified as CVE-2024-0855. The vulnerability was discovered on January 12, 2024, and publicly disclosed on February 27, 2024. This security issue affects the event creation functionality in the Spiffy Calendar plugin for WordPress (WPScan).

The vulnerability stems from improper validation of the eventauthor parameter during event creation. The plugin fails to implement proper access controls, allowing any authenticated user with Contributor or higher privileges to manipulate the eventauthor parameter. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. It is classified as a Broken Access Control vulnerability (OWASP Top 10 A5) and is associated with CWE-863 (WPScan).

When exploited, this vulnerability allows attackers to create events that appear to be authored by other users, including administrators. This can lead to deception of users and administrators about the true origin of events in the calendar system, potentially undermining the integrity of event attribution and audit trails (WPScan).

The vulnerability has been patched in version 4.9.9 of the Spiffy Calendar plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).