Description
WordPress Plugin WP FullCalendar is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently get the content of arbitrary posts, including draft/private as well as password-protected ones. WordPress Plugin WP FullCalendar version 1.4.1 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 1.5 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:5A69965D-D243-4D51-B7A4-D6F4B199ABF1
https://plugins.svn.wordpress.org/wp-fullcalendar/trunk/readme.txt
Related Vulnerabilities
PHP Other Vulnerability (CVE-2007-1401)
CubeCart Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-3904)
WordPress Plugin Events Made Easy Cross-Site Scripting (1.6.20)
WordPress Plugin Admin Custom Login Cross-Site Scripting (2.5.3.1)
WordPress Plugin ThreeWP Email Reflector 'Subject' Field Cross-Site Scripting (1.15)