Description
Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.
Published: 2025-05-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The QuickCal plugin contains a Cross‑Site Request Forgery flaw that can be used to elevate privileges. An attacker who can make a privileged user submit a crafted request to the vulnerable WordPress site can trigger privileged actions normally restricted to administrators. The weakness is identified as CWE‑352, indicating an uncontrolled request with minimal or no verification of the intended target. The impact is a loss of integrity and confidentiality for users and potentially the entire site.

Affected Systems

The affected product is the ThemeMove QuickCal – Appointment Booking Calendar for WordPress plugin, versions from the earliest release through version 1.0.15. Any site that has installed a QuickCal instance of these versions is at risk.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation but does not exclude targeted attacks. The vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been observed as a widely used exploited vulnerability. Exploitation requires an authenticated user with privileged roles to be tricked into executing the malicious request; an unauthenticated user cannot achieve the same effect. The attack vector is standard CSRF, thus the attacker must influence the browser of a privileged user, typically via a deceptive link or embedded form.

Generated by OpenCVE AI on April 30, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade QuickCal to the latest version (at least 1.0.16 or newer).
  • If an upgrade is not immediately possible, deactivate or uninstall the QuickCal plugin until a fixed release is available.
  • Apply least‑privilege principles and enforce multi‑factor authentication for all WordPress administrator accounts to reduce the impact of a potential privilege‑escalation exploit.

Generated by OpenCVE AI on April 30, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15488 Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal allows Privilege Escalation. This issue affects QuickCal: from n/a through 1.0.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal allows Privilege Escalation. This issue affects QuickCal: from n/a through 1.0.13. Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.
Title WordPress QuickCal plugin <= 1.0.13 - CSRF to Privilege Escalation vulnerability WordPress QuickCal plugin <= 1.0.15 - CSRF to Privilege Escalation vulnerability
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal allows Privilege Escalation. This issue affects QuickCal: from n/a through 1.0.13.
Title WordPress QuickCal plugin <= 1.0.13 - CSRF to Privilege Escalation vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:21.765Z

Reserved: 2025-04-04T10:02:55.220Z

Link: CVE-2025-32310

cve-icon Vulnrichment

Updated: 2025-05-16T16:39:08.580Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:39.927

Modified: 2026-04-23T15:28:56.867

Link: CVE-2025-32310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses