Skip to main content

Book a Room EUVDEUVD-2026-38658

| CVE-2026-9721 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 Wordfence GHSA-pfhp-jm8f-gx6g
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Attacker needs no privileges (PR:N) but requires admin interaction (UI:R); only plugin settings are modified (I:L), with no direct confidentiality or availability impact on the vulnerable system.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:51 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settings_form()/update_settings() functionality. The plugin's options page handler dispatches on the 'action' POST parameter and calls update_settings(), which persists plugin configuration (including the external database host, username, password, prefix, database name, encryption key, and registration page URL) via update_option(), without ever generating a nonce field in the settings form or verifying one (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce() exists anywhere in the plugin). This makes it possible for unauthenticated attackers to modify the plugin's database connection settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site running Book a Room Event Calendar ≤1.9
Delivery
Craft auto-submitting HTML CSRF form targeting plugin settings endpoint
Exploit
Deliver phishing link to site administrator
Execution
Administrator visits attacker page while authenticated to WordPress
Persist
Browser auto-submits POST overwriting external database connection settings
Impact
Plugin connects to attacker-controlled database server on next operation

Vulnerability AssessmentAI

Exploitation Successful exploitation requires a currently authenticated WordPress site administrator to visit an attacker-controlled web page while holding an active WordPress session cookie - this is the sole prerequisite the attacker cannot bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.3 (Medium) reflects the mandatory user interaction (UI:R) - an authenticated administrator must be lured to an attacker-controlled page - which meaningfully constrains exploitability compared to a no-interaction CSRF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a webpage containing a hidden HTML form with auto-submit JavaScript, targeting the plugin's settings endpoint with POST parameters that set the external database host to an attacker-controlled server. The attacker sends a phishing email to the WordPress site administrator with a plausible pretext (e.g., a fake security alert) linking to this page; when the administrator opens the link while logged into their WordPress dashboard, their browser silently submits the forged request, overwriting the plugin's database connection settings. …
Remediation No vendor-released patched version is identified at time of analysis - fix version is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy