EUVD-2025-17170CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Description
Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10.
Analysis
Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov's Bg Orthodox Calendar plugin that enables Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions from an unspecified baseline through 0.13.10, allowing unauthenticated attackers over the network to inject and store malicious scripts that execute in users' browsers with moderate impact to confidentiality, integrity, and availability. The CVSS 7.1 score reflects the combination of network attack vector with user interaction requirement; real-world exploitation risk depends on whether this vulnerability is actively exploited or has public proof-of-concept code available.
Technical Context
The vulnerability exists in Bg Orthodox Calendar, a WordPress plugin developed by Vadim Bogaiskov. The root cause is classified under CWE-352 (Cross-Site Request Forgery - CSRF), which occurs when the application fails to implement adequate CSRF tokens or validation mechanisms on state-changing operations. When combined with Stored XSS, an attacker can forge requests on behalf of authenticated users and inject persistent malicious payloads into the calendar data that execute whenever the calendar is viewed. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-based attack with low complexity, no special privileges required, but user interaction needed, with scope change allowing impact beyond the vulnerable component. This is typical of WordPress plugin vulnerabilities where CSRF protections and input sanitization are insufficient.
Affected Products
Product: Bg Orthodox Calendar (WordPress Plugin) | Vendor: Vadim Bogaiskov | Affected Versions: 0.13.10 and all prior versions (exact lower bound not specified in available data) | CPE Data: Unable to construct precise CPE string without vendor namespace confirmation; likely format would be cpe:2.3:a:vadim_bogaiskov:bg_orthodox_calendar:*:*:*:*:*:wordpress:*:* with version constraint <=0.13.10 | Deployment Context: WordPress plugin ecosystem, requires WordPress installation | No vendor advisory URL provided in available reference data.
Remediation
Immediate Actions: (1) Update Bg Orthodox Calendar plugin to the latest available version beyond 0.13.10 (consult WordPress plugin repository for current version); (2) Verify patch availability by checking the official plugin page at wordpress.org/plugins/bg-orthodox-calendar or vendor repository. Detailed Remediation: (a) Implement CSRF token validation on all state-changing operations using WordPress nonces (wp_nonce_field() and wp_verify_nonce()); (b) Sanitize and escape all user input using WordPress functions (sanitize_text_field(), wp_kses_post()) before storage; (c) Validate and escape output contexts appropriately (esc_html(), esc_attr(), esc_url()) when rendering calendar data; (d) Apply Content Security Policy (CSP) headers to mitigate XSS impact. Workarounds (if patch unavailable): Disable the plugin temporarily if not critical to operations; restrict plugin access via Web Application Firewall (WAF) rules blocking suspicious calendar input patterns; monitor for exploitation attempts targeting this CVE ID.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today