The Simple calendar for Elementor plugin contains a flaw that allows an attacker to force a logged‑in administrator to perform actions on the site without the administrator’s explicit consent. This occurs because the plugin fails to validate that requests originate from a legitimate source, allowing exploitation when an administrator visits a crafted URL or malicious content. The resulting impact is a compromise of the integrity of calendar data and potentially other privileged actions within WordPress that the authenticated user can perform. The weakness is a classic CSRF type flaw identified as CWE-352.

All installations of the Simple calendar for Elementor plugin on WordPress that are running version 1.6.5 or earlier are affected. No other WordPress core components or plugins are listed as vulnerable.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not cataloged in CISA’s KEV database. The most likely attack vector involves an attacker tricking an authenticated administrator into visiting a maliciously crafted link or embedding the URL in an email or webpage. No publicly available exploit code has been confirmed, but the ease of CSRF attacks means the risk is real for sites where administrators are not vigilant against malicious links.