VR Calendar < 2.4.5 – LFI via CSRF | Plugin Vulnerabilities

Description

The plugin does not validate user input before using it in a require statement, which could allow high privilege users to perform LFI attacks. The attack could also be performed via a CSRF vector by making a logged in admin open a malicious link

Proof of Concept

https://example.com/wp-admin/admin.php?page=vr-calendar-dashboard&view=part%2F..%2F..%2F..%2F..%2F..%2F..%2Findex

Affects Plugins

vr-calendar-sync

Fixed in 2.4.5

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

8.8 (high)

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

e9a7cbdb-b67d-4e9c-90c5-e631964ae2ca

Timeline

Publicly Published

2022-07-28 (about 3 years ago)

Added

2022-07-28 (about 3 years ago)

Last Updated

2024-10-18 (about 1 year ago)

Other

Published

Title

Published

2024-06-13

Title

Folders <= 3.0 and Folders Pro <= 3.0.2 - Directory Traversal via handle_folders_file_upload

Published

2014-08-01

Title

Ajax Pagination 1.1 - wp-admin/admin-ajax.php loop Parameter Local File Inclusion

Published

2015-04-10

Title

Fusion Engage 1.0.5 - Local File Disclosure

Published

2025-03-27

Title

JS Help Desk < 2.9.2 - Unauthenticated Arbitrary File Download

Published

2025-06-23

Title

Image Shadow <= 1.1.0 - Authenticated (Subscriber+) Arbitrary File Deletion