Description
The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the requesting user has the 'manage_options' capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Settings Modification via Administrator API Key Update
Action: Apply Patch
AI Analysis

Impact

The CalJ Shabbat Times WordPress plugin is vulnerable to missing authorization (CWE-862) in all versions up to 1.5, as the CalJSettingsPage constructor processes the 'save-obtained-key' POST action without verifying that the user has 'manage_options' or even checking a nonce, allowing any authenticated user with Subscriber-level access or higher to modify the plugin’s API key and clear its cache, effectively taking control of the external API integration. This does not provide arbitrary code execution but permits an attacker to alter the plugin’s configuration and disrupt its intended operation.

Affected Systems

WordPress installations that have the CalJ Shabbat Times plugin version 1.5 or earlier are affected, as the vulnerability resides in the CalJSettingsPage constructor and is triggered whenever the admin context is detected (for any authenticated admin or subscriber accessing wp-admin or admin-ajax). The plugin allows an attacker to modify the settings via the 'save-obtained-key' action because no capability check nor nonce verification is performed. Sites using CalJ 1.5 or older, with at least a Subscriber role, are therefore at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the requirement for authentication means that the attack can only be carried out by users who are logged in to WordPress. No known public exploit or KEV listing exists, and the EPSS score is currently unavailable, leaving the current exploitation probability uncertain. Based on the description, the likely attack vector is a crafted POST request to the admin interface that includes the 'save-obtained-key' action; an authenticated attacker could exploit the missing authorization and lack of nonce to modify the plugin's API key and cache without needing elevated privileges beyond Subscriber.

Generated by OpenCVE AI on April 22, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CalJ Shabbat Times plugin to the most recent version available, ensuring that capability verifications and nonce checks are in place for the 'save-obtained-key' action.
  • If an update is not feasible, disable or uninstall the CalJ plugin to eliminate the risk.
  • Restrict the Subscriber role from accessing wp-admin and admin-ajax endpoints or use a plugin to block the 'save-obtained-key' action for non-privileged users, ensuring only those with 'manage_options' capability can trigger the operation.

Generated by OpenCVE AI on April 22, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Calj
Calj calj Shabbat Times
Wordpress
Wordpress wordpress
Vendors & Products Calj
Calj calj Shabbat Times
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the requesting user has the 'manage_options' capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration.
Title CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Calj Calj Shabbat Times
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T12:10:09.794Z

Reserved: 2026-03-13T13:19:56.963Z

Link: CVE-2026-4117

cve-icon Vulnrichment

Updated: 2026-04-22T12:10:04.851Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:23.027

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:52Z

Weaknesses