Description
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-06-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing an unauthenticated attacker to trigger the plugin’s calendar synchronization function on a target WordPress site
Action: Patch
AI Analysis

Impact

The VR Calendar plugin for WordPress contains a flaw caused by missing or incorrect nonce validation in the syncCalendar() function. An attacker who can lure a site administrator into clicking a crafted link or interacting with a forged request can cause that administrator’s browser to submit a synchronous request to the plugin. The result is that the calendar sync routine runs under the administrator’s credentials, potentially exposing or altering calendar data, or causing other unintended state changes within the site. This is a classic CSRF vulnerability that does not require direct authentication to execute.

Affected Systems

The affected product is the VR Calendar plugin, version 2.4.7 and all earlier releases, provided by Innate Images, LLC. The plugin runs within a WordPress environment and the vulnerability exists in the WordPress plugin’s administration code.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate severity, largely due to the requirement of social engineering for exploitation. The EPSS score is less than 1 %, indicating a very low likelihood that the vulnerability will be actively exploited at this time, and the vulnerability has not been listed in the CISA KEV catalogue. Exploitation would typically involve deceiving an administrator into opening a malicious link that submits a forged request to the syncCalendar() endpoint, thereby triggering the sync operation without credentials.

Generated by OpenCVE AI on April 22, 2026 at 01:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the VR Calendar plugin to the latest version that includes the nonce validation fix (any release newer than 2.4.7).
  • If an update is delayed, temporarily disable the syncCalendar functionality or remove the relevant admin menu items to prevent accidental invocation.
  • Limit who can trigger calendar syncs by ensuring only trusted administrators have the capability to access that function, for example by checking user roles before allowing it.

Generated by OpenCVE AI on April 22, 2026 at 01:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19373 The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 07 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Vr Calendar Project
Vr Calendar Project vr Calendar
CPEs cpe:2.3:a:vr_calendar_project:vr_calendar:*:*:*:*:*:wordpress:*:*
Vendors & Products Vr Calendar Project
Vr Calendar Project vr Calendar

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 07:45:00 +0000

Type Values Removed Values Added
Description The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title VR Calendar <= 2.4.7 - Cross-Site Request Forgery to Calendar Sync
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Vr Calendar Project Vr Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:29.411Z

Reserved: 2025-06-09T15:35:32.522Z

Link: CVE-2025-5936

cve-icon Vulnrichment

Updated: 2025-06-27T13:43:19.344Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-27T08:15:22.497

Modified: 2025-07-07T15:55:10.410

Link: CVE-2025-5936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses