Login Sign Up

CVE-2024-3756

7.5 HIGH
CSRF

📋 TL;DR

The MF Gig Calendar WordPress plugin through version 1.2.1 lacks Cross-Site Request Forgery (CSRF) protection on certain endpoints, allowing attackers to trick authenticated users with Contributor or higher privileges into deleting arbitrary calendar events. This affects WordPress sites using the vulnerable plugin version.

💻 Affected Systems

Products:
  • MF Gig Calendar WordPress Plugin
Versions: through 1.2.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the plugin enabled and at least one user with Contributor or higher role logged in.

📦 What is this software?

Mf Gig Calendar by Mf Gig Calendar Project

View all CVEs affecting Mf Gig Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all calendar events, causing data loss and disrupting event management functionality on affected WordPress sites.

🟠

Likely Case

Targeted deletion of specific events by tricking authenticated users into clicking malicious links, leading to data integrity issues.

🟢

If Mitigated

Minimal impact if proper CSRF tokens are implemented or if the plugin is disabled/updated.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2 or later

Vendor Advisory: https://wpscan.com/vulnerability/b28d0dca-2df1-4925-be81-dd9c46859c38/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find MF Gig Calendar and click 'Update Now' if available. 4. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate mf-gig-calendar

Restrict User Roles

all

Limit Contributor and higher role assignments to trusted users only.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block CSRF attempts targeting the plugin endpoints.
  • Educate users about phishing risks and implement strict access controls for Contributor+ roles.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for MF Gig Calendar version. If version is 1.2.1 or earlier, it's vulnerable.

Check Version:

wp plugin get mf-gig-calendar --field=version

Verify Fix Applied:

After update, verify plugin version shows 1.2.2 or later in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual event deletion patterns in WordPress logs
  • Multiple DELETE requests to MF Gig Calendar endpoints from unexpected sources

Network Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action parameters related to event deletion without proper referrer headers

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND action="mf_gig_calendar_delete_event")

📊 Metadata

CVE ID: CVE-2024-3756
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: May 6, 2024
Last Updated: April 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3756, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)