Lucene search
PRIOn knowledge basePRION:CVE-2022-3852HistoryNov 03, 2022 - 6:15 p.m.
Cross site request forgery (csrf)
2022-11-0318:15:00
PRIOn knowledge base
www.prio-n.com
2
wordpress
csrf vulnerability
vr calendar plugin
nonce validation issue
unauthenticated attackers
site administrator trickery
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
| CPE | Name | Operator | Version |
|---|---|---|---|
| vr_calendar | lt | 2.3.4 |
References
plugins.trac.wordpress.org/browser/vr-calendar-sync/tags/2.3.2/Admin/Classes/VRCalendarAdmin.class.php
plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2809350%40vr-calendar-sync&new=2809350%40vr-calendar-sync&sfp_email=&sfph_mail=
www.wordfence.com/vulnerability-advisories-continued/
Related
nvd
nvd
CVE-2022-3852
2022-11-03 18:15:16
cve
cve
CVE-2022-3852
2022-11-03 18:15:16
cvelist
cvelist
CVE-2022-3852
2022-11-03 17:15:11
patchstack
patchstack
wpvulndb
wpvulndb
VR Calendar < 2.3.4 - Calendar Deletion/Update & Settings Update via CSRF
2022-11-03 00:00:00