Description
Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar bg-orthodox-calendar allows Stored XSS.This issue affects Bg Orthodox Calendar: from n/a through <= 0.13.10.
Published: 2025-06-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is a Cross‑Site Request Forgery that enables an attacker to inject malicious script into data stored by the Bg Orthodox Calendar plugin. The resulting stored XSS can be executed whenever a site visitor loads the affected content, potentially allowing the attacker to hijack sessions, steal user credentials, deface the site, or redirect users to phishing pages. The weakness is identified as CWE‑352 for CSRF, and the stored XSS effect is a secondary exploitation tier.

Affected Systems

Any WordPress installation that includes the Bg Orthodox Calendar plugin version 0.13.10 or earlier is affected. The plugin is maintained by Vadim Bogaiskov and is integrated as a WordPress component; the vulnerability applies to all sites running WordPress that have not upgraded past the stated limit.

Risk and Exploitability

The CVSS score of 7.1 places the flaw in the high category, while the EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely craft a forged request, possibly leveraging a logged‑in user session, to trigger an operation that stores malicious payloads. Once stored, the XSS will run in any visitor’s browser, making the attack available to all users of the affected site.

Generated by OpenCVE AI on May 1, 2026 at 07:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Bg Orthodox Calendar plugin to the latest version that patches the CSRF flaw, typically 0.13.11 or newer.
  • If an upgrade cannot be performed immediately, disable any pages or forms that allow the vulnerable data operations, or remove the plugin entirely to eliminate the stored XSS vector.
  • As a temporary safeguard, enforce WordPress CSRF nonce checks around the plugin’s write operations or restrict access to the affected functionality by role or IP to reduce the chance of forged requests.

Generated by OpenCVE AI on May 1, 2026 at 07:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17170 Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10. Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar bg-orthodox-calendar allows Stored XSS.This issue affects Bg Orthodox Calendar: from n/a through <= 0.13.10.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10.
Title WordPress Bg Orthodox Calendar plugin <= 0.13.10 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.685Z

Reserved: 2025-03-11T08:10:19.509Z

Link: CVE-2025-28958

cve-icon Vulnrichment

Updated: 2025-06-06T15:00:36.549Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:28.363

Modified: 2026-04-23T15:26:40.713

Link: CVE-2025-28958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:00:13Z

Weaknesses