CVE-2025-59131
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in hoernerfranz WP-CalDav2ICS wp-caldav2ics allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through <= 1.3.4.
Analysis
WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.
Technical Context
WP-CalDav2ICS is a WordPress plugin that integrates CalDAV calendar feeds into WordPress sites. The vulnerability stems from a CSRF weakness (CWE-352) in the plugin's request handling mechanism, where the plugin fails to implement or validate anti-CSRF tokens (such as WordPress nonces) on state-changing operations. This allows an attacker to craft a malicious link or form that, when visited by an authenticated administrator, triggers an unintended action. The CSRF vector is combined with Stored XSS, meaning the attacker can inject malicious JavaScript that persists in the plugin's database and executes for all users viewing the affected content. The plugin's calendar data handling and user input processing do not adequately sanitize or validate user-supplied data before storage.
Affected Products
WP-CalDav2ICS by hoernerfranz affects all versions from release through version 1.3.4 (WordPress plugin hosted on the WordPress.org plugin repository, CPE identifier would be cpe:2.3:a:hoernerfranz:wp-caldav2ics:*:*:*:*:*:wordpress:*:*). The plugin is distributed via the official WordPress.org plugin directory.
Remediation
WordPress site administrators must immediately update WP-CalDav2ICS to a patched version released by hoernerfranz after 1.3.4 if available; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-caldav2ics/vulnerability/wordpress-wp-caldav2ics-plugin-1-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for the recommended patched version. If no patched version is yet available, immediately deactivate and uninstall the plugin until a fix is released. Additionally, site administrators should audit recent calendar data and plugin logs for signs of malicious script injection; if Stored XSS payloads were injected, the site content may need manual review and sanitization. WordPress nonce validation and input sanitization should be reviewed by the plugin developer as part of the fix.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today