WordPress Simple Booking Calendar 1.3 Cross Site Request Forgery

`Plugin Name : WP Simple Booking Calendar A8-Cross-Site_Request_Forgery_(CSRF)  
  
Effected Version : 1.3 (and most probably lower version's if any)  
  
Vulnerability : A8-Cross-Site Request Forgery (CSRF)  
  
Identified by : Madhu Akula  
  
  
  
Technical Details  
  
Minimum Level of Access Required : Unauthenticated  
  
PoC - (Proof of Concept) :  
  
http://localhost/wp-admin/admin.php?page=wp-simple-booking-calendar&action=delete  
  
  
Vulnerable Parameter : action  
  
Impact : we can delete the any one calendar by single URL  
  
Fixed in : 1.4  
  
http://wordpress.org/plugins/wp-simple-booking-calendar/changelog/  
  
Disclosure Timeline  
  
Vendor Contacted : 2014-08-04  
  
Plugin Status : Updated on 2014-08-07  
  
Public Disclosure : October 3, 2015  
  
CVE Number : Not assigned yet  
  
Plugin Description :  
  
Create a booking calendar for your website! Do you want to show people when your holiday home (or something else) is available for rent? You can create, edit and publish a booking calendar with just a few clicks with the WP Simple Booking Calendar. This booking calendar is very easy to use! You can manage the bookings (availability) on a daily basis and embedding the booking calendar on a page takes only one mouse click. You can also use the WP Simple Booking Calendar Widget to show a booking calendar on your WordPress website. Check out http://www.wpsimplebookingcalendar.com for more information about this booking calendar.  
`