Skip to main content

Book A Room Event Calendar

1 CVEs product

Monthly

CVE-2026-9721 MEDIUM This Month

Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. No public exploit has been identified at time of analysis, and the plugin is a niche product, limiting real-world blast radius despite the sensitive nature of the overwriteable fields.

WordPress CSRF Book A Room Event Calendar
NVD
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. No public exploit has been identified at time of analysis, and the plugin is a niche product, limiting real-world blast radius despite the sensitive nature of the overwriteable fields.

WordPress CSRF Book A Room Event Calendar
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy