VR Calendar WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the VR Calendar plugin for WordPress, affecting all versions through 2.4.7. The issue arises from inadequate nonce validation in the syncCalendar() function, allowing unauthenticated attackers to initiate a calendar synchronization by sending a forged request, provided they can persuade a site administrator to click a link or perform a similar action.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can trick a user into performing actions without their consent, specifically by synchronizing calendars on their behalf.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the syncCalendar() function without a valid nonce. This can be done by tricking an administrator into clicking a link that activates the request, such as through email or a compromised website.