The Upcoming for Calendly plugin for WordPress, up to and including version 1.2.4, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-14160. This vulnerability is due to the absence of nonce validation on the plugin's settings update functionality, specifically the endpoint that allows updating the Calendly API key. Nonce validation is a security mechanism used in WordPress to ensure that requests to change settings originate from legitimate users and not from forged requests. Because this validation is missing, an attacker can craft a malicious web page or email containing a specially crafted request that, when visited or clicked by a site administrator, causes the plugin's Calendly API key to be changed without the administrator's consent. This attack does not require the attacker to be authenticated on the target site but does require the administrator to interact with the malicious content, making it a user-interaction-dependent attack. The vulnerability impacts the integrity of the plugin's configuration, potentially allowing attackers to redirect Calendly API calls or disrupt scheduling functionalities. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No public exploits have been reported yet, and no official patches are linked, indicating the need for immediate attention from site administrators and plugin developers.

The primary impact of this vulnerability is on the integrity of the plugin's configuration. By altering the Calendly API key, an attacker could potentially redirect scheduling data or disrupt the intended scheduling functionality of the site, leading to operational disruptions and potential loss of trust from users relying on the scheduling service. Although confidentiality and availability are not directly affected, the unauthorized modification of API keys could facilitate further attacks or data manipulation if combined with other vulnerabilities or misconfigurations. Organizations relying on this plugin for critical scheduling functions may experience business process interruptions or reputational damage. Since exploitation requires administrator interaction, the risk is somewhat mitigated but remains significant for sites with high administrator traffic or less security awareness. The vulnerability could also be leveraged as part of a broader attack chain targeting WordPress sites with Calendly integrations.

To mitigate this vulnerability, site administrators should immediately verify if they are using the Upcoming for Calendly plugin version 1.2.4 or earlier and monitor for updates or patches from the vendor justdave. In the absence of an official patch, administrators can implement manual nonce validation on the settings update endpoint by modifying the plugin code to include WordPress nonces for all state-changing requests. Additionally, administrators should educate site users, especially those with administrative privileges, about the risks of clicking on untrusted links and emails to reduce the risk of social engineering attacks. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts can provide an additional layer of defense. Regularly auditing plugin configurations and monitoring for unexpected changes to API keys or settings can help detect exploitation attempts early. Finally, consider limiting administrative access and using multi-factor authentication to reduce the risk of unauthorized actions.