A Cross‑Site Request Forgery flaw was discovered in the WordPress Multi Days Events and Multi Events in One Day Calendar plugin. The vulnerability, classified as CWE‑352, permits an attacker to forge HTTP requests that are accepted as legitimate by the plugin. Because the plugin performs sensitive functions such as creating, editing, or deleting events, the flaw could enable an attacker to manipulate calendar data, generate unintended events, or disrupt the user’s schedule. The CVSS score of 4.3 indicates a moderate impact, but the potential for unauthorized activity is significant.

The plugin is distributed by the vendor v20202020 under the names "Multi Days Events" and "Multi Events in One Day Calendar." Every release from the initial version up to and including 1.1.3 is affected. WordPress sites that have installed this plugin version fall within the risk scope.

The flaw has a low EPSS score (<1%), suggesting that exploitation is currently unlikely to occur on a large scale. The vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. Attackers would most likely need to lure an authenticated administrator or a user with sufficient privileges to the site; a crafted link or malicious script could then trigger the forged request. The lack of significant observation in the public domain implies that exploitation would be limited to targeted scenarios.