Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attacker needs no privileges (PR:N) but requires admin interaction (UI:R); only plugin settings are modified (I:L), with no direct confidentiality or availability impact on the vulnerable system.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settings_form()/update_settings() functionality. The plugin's options page handler dispatches on the 'action' POST parameter and calls update_settings(), which persists plugin configuration (including the external database host, username, password, prefix, database name, encryption key, and registration page URL) via update_option(), without ever generating a nonce field in the settings form or verifying one (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce() exists anywhere in the plugin). This makes it possible for unauthenticated attackers to modify the plugin's database connection settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Successful exploitation requires a currently authenticated WordPress site administrator to visit an attacker-controlled web page while holding an active WordPress session cookie - this is the sole prerequisite the attacker cannot bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (Medium) reflects the mandatory user interaction (UI:R) - an authenticated administrator must be lured to an attacker-controlled page - which meaningfully constrains exploitability compared to a no-interaction CSRF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a webpage containing a hidden HTML form with auto-submit JavaScript, targeting the plugin's settings endpoint with POST parameters that set the external database host to an attacker-controlled server. The attacker sends a phishing email to the WordPress site administrator with a plausible pretext (e.g., a fake security alert) linking to this page; when the administrator opens the link while logged into their WordPress dashboard, their browser silently submits the forged request, overwriting the plugin's database connection settings. … |
| Remediation | No vendor-released patched version is identified at time of analysis - fix version is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38658
GHSA-pfhp-jm8f-gx6g