Skip to main content

Vadim Bogaiskov Bg Orthodox Calendar EUVDEUVD-2025-17170

| CVE-2025-28958 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17170
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov's Bg Orthodox Calendar plugin that enables Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions from an unspecified baseline through 0.13.10, allowing unauthenticated attackers over the network to inject and store malicious scripts that execute in users' browsers with moderate impact to confidentiality, integrity, and availability. The CVSS 7.1 score reflects the combination of network attack vector with user interaction requirement; real-world exploitation risk depends on whether this vulnerability is actively exploited or has public proof-of-concept code available.

Technical ContextAI

The vulnerability exists in Bg Orthodox Calendar, a WordPress plugin developed by Vadim Bogaiskov. The root cause is classified under CWE-352 (Cross-Site Request Forgery - CSRF), which occurs when the application fails to implement adequate CSRF tokens or validation mechanisms on state-changing operations. When combined with Stored XSS, an attacker can forge requests on behalf of authenticated users and inject persistent malicious payloads into the calendar data that execute whenever the calendar is viewed. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-based attack with low complexity, no special privileges required, but user interaction needed, with scope change allowing impact beyond the vulnerable component. This is typical of WordPress plugin vulnerabilities where CSRF protections and input sanitization are insufficient.

RemediationAI

Immediate Actions: (1) Update Bg Orthodox Calendar plugin to the latest available version beyond 0.13.10 (consult WordPress plugin repository for current version); (2) Verify patch availability by checking the official plugin page at wordpress.org/plugins/bg-orthodox-calendar or vendor repository. Detailed Remediation: (a) Implement CSRF token validation on all state-changing operations using WordPress nonces (wp_nonce_field() and wp_verify_nonce()); (b) Sanitize and escape all user input using WordPress functions (sanitize_text_field(), wp_kses_post()) before storage; (c) Validate and escape output contexts appropriately (esc_html(), esc_attr(), esc_url()) when rendering calendar data; (d) Apply Content Security Policy (CSP) headers to mitigate XSS impact. Workarounds (if patch unavailable): Disable the plugin temporarily if not critical to operations; restrict plugin access via Web Application Firewall (WAF) rules blocking suspicious calendar input patterns; monitor for exploitation attempts targeting this CVE ID.

Share

EUVD-2025-17170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy