CVE-2025-68603

Editorial Calendar <= 3.8.8 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.8.9
Patched in
39d
Time to patch

Description

The Editorial Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.8.8
PublishedDecember 20, 2025
Last updatedJanuary 27, 2026
Affected plugineditorial-calendar

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2025-68603 Editorial Calendar <= 3.8.8 - Missing Authorization ## 1. Vulnerability Summary The **Editorial Calendar** plugin for WordPress (versions <= 3.8.8) contains a missing authorization vulnerability in its AJAX handlers. While the plugin implements nonce checks for CSRF …

Show full research plan

Research Plan: CVE-2025-68603 Editorial Calendar <= 3.8.8 - Missing Authorization

1. Vulnerability Summary

The Editorial Calendar plugin for WordPress (versions <= 3.8.8) contains a missing authorization vulnerability in its AJAX handlers. While the plugin implements nonce checks for CSRF protection, it fails to perform adequate capability checks (e.g., current_user_can()) to ensure that the authenticated user has the permission to modify the specific post or setting targeted. This allows users with Contributor level access to perform actions they are not authorized for, such as moving or changing the status of posts authored by other users (including Administrators).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: edcal_movepost (Inferred based on plugin functionality and common "Missing Authorization" patterns in this plugin).
  • Payload Parameters:
    • action: edcal_movepost
    • postid: The ID of a post authored by an Administrator.
    • newdate: A target date string (e.g., 2025-12-25).
    • status: The desired post status (e.g., draft or pending).
    • edcal_nonce: The security nonce required for the action.
  • Authentication: Authenticated; Contributor-level session required.
  • Preconditions:
    • Plugin version <= 3.8.8 installed.
    • At least one post exists that was created by another user (e.g., Administrator).

3. Code Flow (Inferred)

  1. The plugin registers AJAX handlers in the main plugin file or an included library (e.g., edcal.php):
    add_action('wp_ajax_edcal_movepost', 'edcal_movepost');
  2. The edcal_movepost function begins by verifying a nonce:
    check_ajax_referer('edcal_nonce', 'edcal_nonce');
  3. The function retrieves postid and newdate from $_POST.
  4. Vulnerability: The function lacks a call to current_user_can('edit_post', $postid). It proceeds to update the post's post_date and post_status using wp_update_post() or direct $wpdb queries.
  5. Because wp_ajax_ handlers are available to all logged-in users who can access the admin area (including Contributors), and because the plugin localized the edcal_nonce to the calendar page accessible by Contributors, the authorization check is bypassed.

4. Nonce Acquisition Strategy

The Editorial Calendar plugin localizes its data, including nonces, when the calendar page is loaded.

  1. Identify Entry Point: The calendar is located at /wp-admin/admin.php?page=cal.
  2. Access as Contributor: Login with a Contributor account and navigate to this page.
  3. Extract Nonce: The nonce is stored in a global JavaScript object, typically edcal_data.
  4. Tooling: Use browser_navigate to reach the page and browser_eval to extract the nonce.
    • JS Variable: window.edcal_data?.nonce (Verify this name in the source or page source).

5. Exploitation Strategy

  1. Target Selection: Identify a post ID authored by an Administrator (e.g., ID 1).
  2. Setup Session: Authenticate the http_request tool with a Contributor's cookies.
  3. Fetch Nonce:
    • Navigate to http://localhost:8080/wp-admin/admin.php?page=cal.
    • Execute browser_eval("edcal_data.nonce") to retrieve the edcal_nonce.
  4. Craft Exploit Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost:8080
    Content-Type: application/x-www-form-urlencoded
    
    action=edcal_movepost&postid=[ADMIN_POST_ID]&newdate=2028-01-01&status=draft&edcal_nonce=[EXTRACTED_NONCE]
    
  5. Analyze Response: A successful update usually returns a JSON object containing the updated post details or a success message.

6. Test Data Setup

  1. Administrator Post: Ensure the default "Hello world!" post (ID 1) is owned by the Administrator (ID 1).
  2. Contributor User: Create a user with the contributor role.
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password
  3. Plugin State: Ensure Editorial Calendar 3.8.8 is active.

7. Expected Results

  • The AJAX request should return a 200 OK response.
  • The response body should reflect that the post date was changed.
  • The post with postid (owned by Admin) should now have a modified post_date in the database, even though the Contributor (attacker) does not have the edit_others_posts capability.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the post date change.
    • wp post get [ADMIN_POST_ID] --field=post_date
  2. Capability Verification: Confirm the attacker is indeed a Contributor and lacks the permission to edit the targeted post normally.
    • wp user get attacker --field=roles (Should be contributor).
    • wp eval "echo current_user_can('edit_post', [ADMIN_POST_ID]) ? 'true' : 'false';" (When run as the contributor user, should be false).

9. Alternative Approaches

  • Change Post Status: If edcal_movepost is patched or behaves differently, attempt to use the same logic on edcal_changestatus if it exists.
  • Unauthorized Post Creation: Check if edcal_addpost allows a contributor to create posts with an arbitrary post_author or forbidden post_status.
  • Settings Modification: Search for edcal_saveoptions or similar handlers that might allow a contributor to change global plugin settings.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.