The WP FullCalendar WordPress plugin prior to 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated malicious users to get the content of arbitrary posts, including draft/private as well as password-protected ones.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
pixelite wp fullcalendar |