Cross‑Site Request Forgery in the WP Corner Quick Event Calendar plugin allows attackers to perform actions on behalf of an authenticated user without their consent. The flaw can lead to unauthorized modifications of calendar data such as creating, editing, or deleting events, potentially disrupting user schedules and compromising the integrity of the site’s content. This vulnerability is identified as CWE‑352. Based on the description, the attacker may be able to trigger the request by enticing the victim to visit a specially crafted URL.

Vendors and affected products include WP Corner’s Quick Event Calendar plugin for WordPress, affecting all installations of version 1.4.9 or earlier. No specific operating system or platform constraints are listed.

An attacker would need to target a user that is logged into the WordPress site with sufficient privileges to change event data. The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, suggesting that there is no known widespread exploitation. However, because the attack can be performed through standard HTTP requests, it remains feasible for a determined adversary, especially if account credentials are weak or compromised. Based on the description, the attacker may be able to trigger the request by enticing the victim to visit a specially crafted URL.