{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68523", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-19T10:16:57.339Z", "datePublished": "2025-12-24T12:31:24.167Z", "dateUpdated": "2026-04-28T16:14:29.274Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "spiffy-calendar", "product": "Spiffy Calendar", "vendor": "Spiffy Plugins", "versions": [{"changes": [{"at": "5.0.8", "status": "unaffected"}], "lessThanOrEqual": "5.0.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:23:12.245Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Spiffy Calendar: from n/a through <= 5.0.7.</p>"}], "value": "Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spiffy Calendar: from n/a through <= 5.0.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:29.274Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/spiffy-calendar/vulnerability/wordpress-spiffy-calendar-plugin-5-0-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Spiffy Calendar plugin <= 5.0.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:37:55.334240Z", "id": "CVE-2025-68523", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:37:58.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68523", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:37:55.334240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T19:09:08.070Z"}}], "cna": {"title": "WordPress Spiffy Calendar plugin <= 5.0.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spiffy Plugins", "product": "Spiffy Calendar", "versions": [{"status": "affected", "changes": [{"at": "5.0.8", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.7"}], "packageName": "spiffy-calendar", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:12.245Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/spiffy-calendar/vulnerability/wordpress-spiffy-calendar-plugin-5-0-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spiffy Calendar: from n/a through <= 5.0.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Spiffy Calendar: from n/a through <= 5.0.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.854Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68523", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:37:58.022Z", "dateReserved": "2025-12-19T10:16:57.339Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-24T12:31:24.167Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spiffy Calendar: from n/a through <= 5.0.7."}], "id": "CVE-2025-68523", "lastModified": "2026-04-27T19:16:27.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-24T13:16:21.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/spiffy-calendar/vulnerability/wordpress-spiffy-calendar-plugin-5-0-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:29:40.203336+00:00", "value": {"mitigation_remediation": ["Upgrade Spiffy Calendar to the latest available version (at least 5.0.8) to apply the authorization fix.", "If an upgrade cannot be performed immediately, restrict frontend access to the plugin\u2019s features by applying WordPress role\u2011based access controls or disabling the plugin on public sites.", "Review and audit user accounts that have access to the plugin\u2019s settings to confirm that only authorized personnel can modify or view calendar data."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites that have the Spiffy Calendar plugin installed in versions up to and including 5.0.7. The plugin, developed by Spiffy Plugins, is distributed as a WordPress plugin. No other versions are flagged as vulnerable.", "description_and_impact": "The reported vulnerability is a missing authorization flaw in the Spiffy Calendar plugin for WordPress. This break in access control allows an attacker to invoke plugin functions or view data that should be restricted to privileged users. The weakness is a classic instance of CWE\u2011862 Unauthorized Access, potentially leading to data exposure or unauthorized modification of calendar events.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low\u2011to\u2011moderate severity. The EPSS score of less than 1% suggests exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly documented, but the missing checks imply that any user who can reach the plugin's endpoints could potentially trigger the flaw; therefore, the risk is most acute in environments where non\u2011privileged users can access these endpoints."}}}}, "created": "2025-12-29T22:34:32.233378+00:00", "updated": "2026-04-28T18:30:37.345879+00:00", "vendors": ["spiffyplugins", "spiffyplugins$PRODUCT$spiffy_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}