CVE-2021-25025

Summary

The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events

Affected Software

VendorProductVersion RangeStatus
UnknownEventCalendar1.1.51 < 1.1.51affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)
  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

References