Description
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settings_form()/update_settings() functionality. The plugin's options page handler dispatches on the 'action' POST parameter and calls update_settings(), which persists plugin configuration (including the external database host, username, password, prefix, database name, encryption key, and registration page URL) via update_option(), without ever generating a nonce field in the settings form or verifying one (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce() exists anywhere in the plugin). This makes it possible for unauthenticated attackers to modify the plugin's database connection settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Book a Room Event Calendar plugin for WordPress contains a CSRF vulnerability in all releases through 1.9. The plugin’s settings form omits nonce generation and validation, so an attacker can craft a forged request that updates the plugin’s configuration fields—database host, username, password, encryption key, and registration page URL—without any authentication. This allows an unauthenticated attacker to change the database connection parameters, potentially hijacking the site’s data layer, altering stored data, or redirecting traffic to a malicious database instance. The primary impact is unauthorized modification of critical configuration that undermines confidentiality and integrity of the site’s data.

Affected Systems

The affected product is the Book a Room Event Calendar WordPress plugin distributed by chuhpl. All versions up to and including 1.9 are vulnerable. No additional vendor or product information is available.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate risk level. No EPSS score is provided, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires the targeted site administrator to act on a malicious link or form, so it is a User‑Interaction attack. Because the vulnerability allows persistent changes to configuration, an attacker who succeeds can maintain a foothold on the site. Given the moderate CVSS and the need for user interaction, the overall risk is moderate but significant for sites that rely on this plugin for event management.

Generated by OpenCVE AI on June 24, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Book a Room Event Calendar to the latest version (1.10 or newer) which adds nonce verification to the settings form.
  • If an upgrade is not immediately possible, deactivate the plugin to prevent further misuse of the settings API and restore the default configuration before re‑enabling it.
  • Implement or enable a security solution that requires strong administrator authentication—such as two‑factor authentication—or add a custom nonce check to the plugin’s settings page through a lightweight patch or a custom function hook.

Generated by OpenCVE AI on June 24, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settings_form()/update_settings() functionality. The plugin's options page handler dispatches on the 'action' POST parameter and calls update_settings(), which persists plugin configuration (including the external database host, username, password, prefix, database name, encryption key, and registration page URL) via update_option(), without ever generating a nonce field in the settings form or verifying one (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce() exists anywhere in the plugin). This makes it possible for unauthenticated attackers to modify the plugin's database connection settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:22.374Z

Reserved: 2026-05-27T16:08:07.402Z

Link: CVE-2026-9721

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)