A Cross‑Site Request Forgery flaw exists in the WP Corner Quick Event Calendar plugin that permits an attacker to submit a request on behalf of a legitimate user without their knowledge. The lack of a CSRF token in the calendar’s operations allows a malicious actor to embed and persist a cross‑site scripting payload through admin actions such as creating or editing calendar entries. The stored XSS component can then execute arbitrary client‑side code whenever authenticated or unauthenticated users view affected content, enabling credential theft, session hijacking, or defacement. The weakness maps to CWE‑352 and also demonstrates characteristics of stored XSS.

All installations of WP Corner Quick Event Calendar with a version number of 1 4 9 or earlier are vulnerable. The product is identified as Quick Event Calendar and affects any WordPress site that has not upgraded beyond version 1.4.9.

The CVSS score of 7.1 indicates a substantial severity. The EPSS score of less than 1 % reflects a low current likelihood of exploitation, and the issue is not listed in CISA KEV. Exploitation would require an attacker to entice an authenticated user (or rely on an unwary URL) into causing the application to process a malicious request. The vulnerability exposes stored XSS, which can impact confidentiality, integrity, and availability of site content and user data.