CVE-2024-38692

HIGH

Spiffy Calendar <4.9.11 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-38692. PoCs published by certuscyber.

AI-analyzed exploit summary The repository contains functional exploit code for multiple WordPress plugin vulnerabilities, including SQL injection (CVE-2014-5182, CVE-2014-5185) and insecure deserialization (CVE-2020-29045). The PoCs include authentication, payload delivery, and data exfiltration logic.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spiffy Plugins Spiffy Calendar allows SQL Injection.This issue affects Spiffy Calendar: from n/a through 4.9.11.

Exploits (1)

github WORKING POC 3 stars
by certuscyber · pythonpoc
https://github.com/certuscyber/cve-pocs/tree/main/CVE-2024-38692

The repository contains functional exploit code for multiple WordPress plugin vulnerabilities, including SQL injection (CVE-2014-5182, CVE-2014-5185) and insecure deserialization (CVE-2020-29045). The PoCs include authentication, payload delivery, and data exfiltration logic.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress YAWPP plugin <= 1.2, WordPress Quartz plugin <= 1.01.1, Five Star Restaurant Menu and Food Ordering plugin <= 2.2.0
Auth required
Prerequisites: WordPress installation with vulnerable plugin · Valid credentials (contributor role or higher)
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.6
EPSS 0.0072
EPSS Percentile 48.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
Spiffy Plugins/Spiffy Calendar < 4.9.11
spiffyplugins/spiffy_calendar < 4.9.12
Published Jul 22, 2024
Tracked Since Feb 18, 2026