Skip to main content

CVE-2025-27360: CWE-352 Cross-Site Request Forgery (CSRF) in WP Corner Quick Event Calendar

Medium
VulnerabilityCVE-2025-27360cvecve-2025-27360cwe-352
Published: Fri Jun 06 2025 (06/06/2025, 12:54:35 UTC)
Source: CVE Database V5
Vendor/Project: WP Corner
Product: Quick Event Calendar

Description

Cross-Site Request Forgery (CSRF) vulnerability in WP Corner Quick Event Calendar allows Cross Site Request Forgery. This issue affects Quick Event Calendar: from n/a through 1.4.9.

AI-Powered Analysis

AILast updated: 07/08/2025, 08:10:55 UTC

Technical Analysis

CVE-2025-27360 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP Corner Quick Event Calendar WordPress plugin, affecting versions up to and including 1.4.9. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted actions on a web application where they are logged in, without their consent or knowledge. In this case, the vulnerability permits an attacker to craft malicious requests that, when executed by an authenticated user, could modify data or perform actions within the Quick Event Calendar plugin. The CVSS 3.1 base score of 4.3 reflects a medium severity rating, indicating that while the vulnerability does not impact confidentiality or availability, it can affect the integrity of data. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), such as clicking a malicious link or visiting a crafted webpage. The vulnerability scope is unchanged (S:U), meaning the impact is limited to the vulnerable component itself. No known exploits are currently in the wild, and no patches have been linked yet. The underlying weakness is classified under CWE-352, which pertains to improper validation of requests to prevent CSRF attacks. This vulnerability is significant in the context of WordPress sites using this plugin, as it could allow attackers to manipulate event calendar data or settings without authorization, potentially leading to misinformation or disruption of event management workflows.

Potential Impact

For European organizations using WordPress websites with the Quick Event Calendar plugin, this vulnerability poses a risk to the integrity of event-related data. While it does not compromise confidentiality or availability, unauthorized modifications to event information could disrupt business operations, marketing activities, or public communications. Organizations relying on event calendars for customer engagement, internal scheduling, or public event announcements could face reputational damage or operational inefficiencies if attackers exploit this flaw. Given the medium severity and requirement for user interaction, the threat is more relevant in environments where users with editing privileges might be targeted via phishing or social engineering. The impact is heightened for organizations with high web traffic or those that integrate event data into critical business processes. Additionally, since no patches are currently linked, organizations remain exposed until a fix is released and applied.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should first verify if they are using the WP Corner Quick Event Calendar plugin, particularly versions up to 1.4.9. Until an official patch is released, administrators should consider temporarily disabling the plugin or restricting its usage to trusted users only. Implementing web application firewalls (WAF) with CSRF protection rules can help detect and block suspicious cross-site requests targeting the plugin's endpoints. Educating users with editing privileges about the risks of phishing and social engineering attacks can reduce the likelihood of successful exploitation requiring user interaction. Additionally, organizations should monitor web server logs for unusual POST requests or actions related to the calendar plugin. Once a patch becomes available, prompt application of updates is critical. For longer-term protection, developers and administrators should ensure that all forms and state-changing requests in the plugin include anti-CSRF tokens and validate the origin of requests to prevent unauthorized actions.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-02-21T16:46:11.506Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842edd971f4d251b5c87f1f

Added to database: 6/6/2025, 1:32:09 PM

Last enriched: 7/8/2025, 8:10:55 AM

Last updated: 8/9/2025, 4:23:12 PM

Views: 28

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats