The plugin does not have CSRF checks when deleting and updating calendars, as well as updating the plugin settings, which could allow attackers to make logged a admin delete and update arbitrary calendars and modify the plugin settings via CSRF attacks
CPE | Name | Operator | Version |
---|---|---|---|
vr-calendar-sync | lt | 2.3.4 |