WordPress Plugin Vulnerabilities

The Events Calendar < 6.7.1 - Trashed Events Restoration via CSRF

Description

The plugin does not have CSRF checks when restoring trashed events, which could allow attackers to make logged in admins perform such action via a CSRF attack

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.7.1

References

CVE
CVE-2025-24537
URL
https://patchstack.com/database/wordpress/plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-7-0-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
420b37f9-aba9-4873-ad09-e7b05d2a9482

Timeline

Publicly Published
2024-11-09 (about 1 year ago)
Added
2025-02-20 (about 1 year ago)
Last Updated
2025-02-20 (about 1 year ago)

Other

Published
Title
Published
2024-10-17
Title
Infinite-Scroll <= 2.6.2 - Cross-Site Request Forgery to Plugin Settings Update
Published
2025-10-02
Title
Ultimate Viral Quiz <= 1.0 - Cross-Site Request Forgery to Settings Update
Published
2025-04-04
Title
Sequential Order Numbers for WooCommerce < 3.6.3 - Cross-Site Request Forgery
Published
2024-08-28
Title
Podlove Podcast Publisher < 4.1.14 - Cross-Site Request Forgery to Remote Code Execution
Published
2023-10-24
Title
Quill Forms < 3.4.0 - Cross-Site Request Forgery