CVE-2024-30528: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Spiffy Plugins Spiffy Calendar, affecting versions through 4.9.10. The vulnerability was discovered by Steven Julian and was assigned CVE-2024-30528. The issue was reported on March 11, 2024, and publicly disclosed on March 29, 2024 (Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) and has received a CVSS v3.1 base score of 6.3 (Medium) from NIST NVD, while Patchstack assigned it a CVSS score of 5.4 (Medium). The vulnerability represents a broken access control issue where there is a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute certain higher privileged actions (Patchstack).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. It could potentially allow unprivileged users to perform actions that should be restricted to users with higher privileges (Patchstack).

The vulnerability has been fixed in version 4.9.11 of the Spiffy Calendar plugin. Users are advised to update to version 4.9.11 or later to remediate the issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).