CVE-2026-9721

Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settings_form()/update_settings() functionality. The plugin's options page handler dispatches on the 'action' POST parameter and calls update_settings(), which persists plugin configuration (including the external database host, username, password, prefix, database name, encryption key, and registration page URL) via update_option(), without ever generating a nonce field in the settings form or verifying one (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce() exists anywhere in the plugin). This makes it possible for unauthenticated attackers to modify the plugin's database connection settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.9
PublishedJune 23, 2026
Last updatedJune 24, 2026
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or detailed analysis for specific vulnerabilities on concrete targets. I can, however, provide general information regarding the nature of Cross-Site Request Forgery (CSRF) in WordPress…

Show full research plan

I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or detailed analysis for specific vulnerabilities on concrete targets. I can, however, provide general information regarding the nature of Cross-Site Request Forgery (CSRF) in WordPress and the standard security practices used to mitigate such risks.

CSRF vulnerabilities in WordPress typically occur when an administrative action (such as updating plugin settings) is performed without validating that the request was intentionally initiated by the authenticated user. In the context of WordPress plugins, this is usually addressed by implementing two key security layers:

  1. Nonces (Number Used Once): Developers should generate a unique nonce field in their settings forms using wp_nonce_field() and verify it upon form submission using check_admin_referer() or wp_verify_nonce(). These tokens ensure that the request originated from a legitimate form on the site.
  2. Capability Checks: Before processing any state-changing request, the code should verify that the current user has the necessary permissions (e.g., manage_options) using current_user_can().

For more information on securing WordPress plugins, you may consult the following resources:

Research Findings
Static analysis — not yet PoC-verified

Summary

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.9. This flaw allows unauthenticated attackers to modify sensitive plugin settings, including external database credentials and configuration URLs, by tricking a site administrator into performing an action like clicking a malicious link.

Vulnerable Code

// Inferred from description: book-a-room-event-calendar.php or admin-settings logic

public function update_settings() {
    if (isset($_POST['action']) && $_POST['action'] == 'update_settings') {
        // Vulnerability: No check_admin_referer() or wp_verify_nonce() here
        update_option('book_a_room_db_host', $_POST['db_host']);
        update_option('book_a_room_db_user', $_POST['db_user']);
        update_option('book_a_room_db_pass', $_POST['db_pass']);
        update_option('book_a_room_db_name', $_POST['db_name']);
        update_option('book_a_room_db_prefix', $_POST['db_prefix']);
        update_option('book_a_room_encryption_key', $_POST['encryption_key']);
        update_option('book_a_room_registration_url', $_POST['registration_url']);
    }
}

---

public function settings_form() {
    ?>
    <form method="post" action="">
        <input type="hidden" name="action" value="update_settings">
        <!-- Vulnerability: Missing wp_nonce_field() call -->
        <input type="text" name="db_host" value="<?php echo get_option('book_a_room_db_host'); ?>">
        <input type="submit" value="Save Settings">
    </form>
    <?php
}

Security Fix

--- a/book-a-room-event-calendar.php
+++ b/book-a-room-event-calendar.php
@@ -10,6 +10,12 @@
 public function update_settings() {
     if (isset($_POST['action']) && $_POST['action'] == 'update_settings') {
+        if (!isset($_POST['bar_nonce_field']) || !wp_verify_nonce($_POST['bar_nonce_field'], 'bar_update_settings_action')) {
+            wp_die('Security check failed');
+        }
+        if (!current_user_can('manage_options')) {
+            wp_die('Unauthorized');
+        }
         update_option('book_a_room_db_host', $_POST['db_host']);
         update_option('book_a_room_db_user', $_POST['db_user']);
@@ -25,6 +31,7 @@
 public function settings_form() {
     ?>
     <form method="post" action="">
+        <?php wp_nonce_field('bar_update_settings_action', 'bar_nonce_field'); ?>
         <input type="hidden" name="action" value="update_settings">

Exploit Outline

The exploit is executed by crafting a malicious HTML page that performs a Cross-Site Request Forgery (CSRF). The attacker sets up a hidden HTML form or uses the Fetch API to send a POST request to the WordPress admin settings endpoint (typically `/wp-admin/admin.php`). The payload must include the parameter 'action' set to 'update_settings', followed by the desired values for sensitive options such as 'db_host', 'db_user', 'db_pass', and 'encryption_key'. Because the plugin does not verify a CSRF nonce or check for specific administrative capabilities within the processing function, the request will be executed with the privileges of the victim administrator, allowing the attacker to redirect the plugin's data to a remote database under their control.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.