The vulnerability is an unprotected cross‑site request forgery flaw in StellarWP The Events Calendar plugin, allowing an attacker to make the victim’s browser submit authenticated requests on the victim’s behalf. Because the plugin accepts state‑changing operations without validating the request source, an attacker could potentially modify or delete event data, create new events, or otherwise perform actions that a logged‑in user is permitted to do. The primary impact is the unauthorized alteration of site content or settings, which could affect the integrity and reliability of the event management system.

All installations of the Events Calendar plugin from any unspecified earlier version up to and including 6.7.0 are potentially affected. The flaw applies to all target PCs running the plugin, regardless of the WordPress theme or other plugins, but only when the site has the plugin installed and an authenticated user is logged in.

The CVSS score of 5.4 classifies the vulnerability as moderate, indicating a meaningful but not critical risk. The EPSS score is less than 1%, suggesting that exploit attempts are unlikely but not impossible. The flaw is not listed in the CISA KEV catalog, which reduces known exploitation pressure. The attack vector is inferred to be a CSRF scenario: the attacker lures a legitimate user to a malicious site or link that initiates a forged request to the vulnerable plugin. Successful exploitation requires the user to be logged in to the target WordPress site at the time of the request.