This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π‘οΈ **Root Cause**: **CWE-89** (SQL Injection). π **Flaw**: Unsanitized input in REST API parameters. Specifically the **'from'** and **'to'** fields in the `/my-calendar/v1/events` route.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: WordPress Plugin **My Calendar**. π **Versions**: **< 3.4.22**. β οΈ **Note**: Versions 3.4.22 and above are safe.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: 1. **Read**: Extract sensitive database data (User creds, site config). 2. **Write**: Modify/Delete data. 3. **Impact**: Full database compromise via SQLi.
Q5Is exploitation threshold high? (Auth/Config)
π **Exploitation Threshold**: **LOW**. π€ **Auth**: **Unauthenticated** (No login needed). π **Access**: Remote via REST API endpoint. Easy to trigger.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Public Exploits**: **YES**. π **PoCs Available**: GitHub repos (mr-won, user20252228) & Nuclei templates. π **Status**: Active exploitation possible for anyone with the PoC.
Q7How to self-check? (Features/Scanning)
π **Self-Check Method**: 1. Scan for `/my-calendar/v1/events` endpoint. 2. Inject SQL payloads into `from`/`to` params. 3. Use **Nuclei** template for CVE-2023-6360. 4. Check plugin version in WP Admin.
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Official Fix**: **YES**. β **Patch**: Update **My Calendar** to **v3.4.22** or later. π **Action**: Immediate update required.