WordPress Plugin Vulnerabilities

VR Calendar < 2.3.4 - Calendar Deletion/Update & Settings Update via CSRF

Description

The plugin does not have CSRF checks when deleting and updating calendars, as well as updating the plugin settings, which could allow attackers to make logged a admin delete and update arbitrary calendars and modify the plugin settings via CSRF attacks

Affects Plugins

Plugin icon
vr-calendar-sync
Fixed in 2.3.4

References

CVE
CVE-2022-3852

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
c750e6f1-e716-4053-84f5-0501d6b93f93

Timeline

Publicly Published
2022-11-03 (about 3 years ago)
Added
2022-11-03 (about 3 years ago)
Last Updated
2022-11-03 (about 3 years ago)

Other

Published
Title
Published
2025-10-27
Title
Media Library File Download <= 1.4 - Cross-Site Request Forgery
Published
2025-02-11
Title
WP Abstracts < 2.7.4 - Cross-Site Request Forgery to Arbitrary Account Deletion
Published
2023-01-20
Title
My Calendar < 3.4.4 - Cross-Site Request Forgery
Published
2024-04-05
Title
Loan Repayment Calculator and Application Form < 2.9.5 - Cross-Site Request Forgery
Published
2026-05-25
Title
Organization chart < 1.7.6 - Cross-Site Request Forgery