Vulnerabilities > CVE-2021-25025 - Missing Authorization vulnerability in Theeventscalendar Eventcalendar

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
LOW
Availability impact
NONE
network
low complexity
theeventscalendar
CWE-862

Summary

The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events

Vulnerable Configurations

Part Description Count
Application
Theeventscalendar
1

Common Weakness Enumeration (CWE)