Plugin Vulnerability fixed in My Calendar 3.3.17

July 17, 2022

Topics: Plugins.

This morning, I was alerted to suspicious activity in server logs referring to the My Calendar print view by a concerned user. Checking the data, it was clear that there was a significant security issue in My Calendar which was being used to generate links out to remote sites by abusing the referrer URL (Uniform Resource Locator) in the My Calendar print view. This security issue was fixed in version 3.3.17, released this morning.

The issue would not impact any user navigating to the print view from your own site calendar, but could be used by an external site to generate a dynamic view on your site with a link of their choice. The primary use case for this abuse would probably be SEO manipulation by generating fake backlinks, though it is possible it could be used to send users from an external site through your site to a malicious URL.

Please update to version 3.3.17 as soon as possible! Thanks to Dan Kegel for the responsible and prompt disclosure.

Have something to contribute?

« Read my Comment Policy

1 Comment on “Plugin Vulnerability fixed in My Calendar 3.3.17”

  1. We started getting errors on our site with the recent updates. See below for debug log. I’ve had to disable the plugin to allow the site to function.

    [07-Sep-2022 03:52:57 UTC] PHP (Hypertext PreProcessing) Fatal error: Uncaught ArgumentCountError: Too few arguments to function mc_search_results_title(), 1 passed in /home/customer/www/ on line 307 and exactly 2 expected in /home/customer/www/
    Stack trace:
    #0 /home/customer/www/ mc_search_results_title(‘Simple Slider 1…’)
    #1 /home/customer/www/ WP_Hook->apply_filters(‘Simple Slider 1…’, Array)
    #2 /home/customer/www/ apply_filters(‘the_title’, ‘Simple Slider 1…’)
    #3 /home/customer/www/ G1_Simple_Sliders_Base_Module->add_slider_choices(Array)
    #4 /home/customer/www/ WP_Hook->apply_f in /home/customer/www/ on line 166