Description
Cross-Site Request Forgery (CSRF) vulnerability in Michael Simple calendar for Elementor simple-calendar-for-elementor allows Cross Site Request Forgery.This issue affects Simple calendar for Elementor: from n/a through <= 1.6.4.
Published: 2025-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic Cross‑Site Request Forgery flaw that is present in the Simple calendar for Elementor plugin through version 1.6.4. Because the plugin accepts state‑changing requests without a verification token, an attacker can trick an authenticated user into submitting a request that performs an unintended action on the site. The effect is that the attacker can perform operations that the user is authorized to do, potentially altering calendar entries or other plugin data. The weakness is identified as CWE‑352.

Affected Systems

All WordPress sites that have the Michael Simple calendar for Elementor plugin installed with version less than or equal to 1.6.4 are affected. The plugin is available in the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1 % suggests that active exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. An attacker needs to have the victim authenticated in the site’s administrative or author‑level account, and then coerce the victim to visit a malicious site that contains a crafted request to perform the unwanted action. No additional pre‑conditions such as code execution are required beyond these conditions. Based on the description, the likely attack vector is a malicious webpage that causes the victim’s browser to send a state‑changing request to the vulnerable plugin while the user is authenticated.

Generated by OpenCVE AI on May 2, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple calendar for Elementor plugin to a version newer than 1.6.4.
  • If upgrading is not possible, remove or deactivate the plugin to eliminate the vulnerability.
  • Add CSRF protection to all state‑changing requests in the plugin, for example by incorporating WordPress nonces or alternative CSRF tokens. If the vendor does not supply a patch, implement a custom hook to enforce nonce verification or insert a security plugin that adds these checks.
  • Configure a web application firewall or a security plugin that detects and blocks unauthorized POST requests, and enable two‑factor authentication for all administrator accounts to reduce the risk of CSRF.

Generated by OpenCVE AI on May 2, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12306 Cross-Site Request Forgery (CSRF) vulnerability in Michael Simple calendar for Elementor allows Cross Site Request Forgery. This issue affects Simple calendar for Elementor: from n/a through 1.6.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Michael Simple calendar for Elementor allows Cross Site Request Forgery. This issue affects Simple calendar for Elementor: from n/a through 1.6.4. Cross-Site Request Forgery (CSRF) vulnerability in Michael Simple calendar for Elementor simple-calendar-for-elementor allows Cross Site Request Forgery.This issue affects Simple calendar for Elementor: from n/a through <= 1.6.4.
Title WordPress Simple calendar for Elementor <= 1.6.4 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Simple calendar for Elementor plugin <= 1.6.4 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 30 Apr 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Migaweb
Migaweb simple Calendar For Elementor
CPEs cpe:2.3:a:migaweb:simple_calendar_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Migaweb
Migaweb simple Calendar For Elementor

Tue, 22 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Michael Simple calendar for Elementor allows Cross Site Request Forgery. This issue affects Simple calendar for Elementor: from n/a through 1.6.4.
Title WordPress Simple calendar for Elementor <= 1.6.4 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Migaweb Simple Calendar For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.051Z

Reserved: 2025-04-22T09:21:43.075Z

Link: CVE-2025-46249

cve-icon Vulnrichment

Updated: 2025-04-22T13:48:23.563Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:19.403

Modified: 2026-04-23T15:29:57.153

Link: CVE-2025-46249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:15:19Z

Weaknesses