CVE-2026-24636

Sugar Calendar (Lite) <= 3.9.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.10.0
Patched in
99d
Time to patch

Description

The Sugar Calendar (Lite) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.1. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.9.1
PublishedJanuary 5, 2026
Last updatedApril 14, 2026
Affected pluginsugar-calendar-lite

What Changed in the Fix

Changes introduced in v3.10.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24636 - Sugar Calendar (Lite) Missing Authorization ## 1. Vulnerability Summary The **Sugar Calendar (Lite)** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 3.9.1. The vulnerability exists in the handler for the…

Show full research plan

Exploitation Research Plan: CVE-2026-24636 - Sugar Calendar (Lite) Missing Authorization

1. Vulnerability Summary

The Sugar Calendar (Lite) plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.9.1. The vulnerability exists in the handler for the sc_admin_importer AJAX action. While intended for administrative use (importing events, categories, and other data), the function lacks a proper capability check (e.g., current_user_can( 'manage_options' )), allowing authenticated users with Contributor-level permissions or higher to trigger data import processes. This can lead to unauthorized modification of calendar data or potentially server-side request forgery (SSRF) if an attacker-controlled ICS URL is processed.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: sc_admin_importer
  • Vulnerable Parameter: importer_slug, ics_url (if using the ICS importer).
  • Authentication: Required (Contributor level or above).
  • Preconditions: The attacker must be logged in and possess a valid nonce for the sc_admin_importer action.

3. Code Flow

The exploitation flow follows the logic found in assets/admin/js/sc-admin-importers.js:

  1. Entry Point: The plugin registers an AJAX handler for sc_admin_importer. Based on the JS, this is registered via wp_ajax_sc_admin_importer.
  2. JS Trigger: The JS function runImporter() or runIcsImporter() sends a POST request:
    $.post(sc_admin_importers.ajax_url, {
        nonce: sc_admin_importers.nonce,
        action: "sc_admin_importer",
        importer_slug: m.runtime_vars.importer_slug,
        total_number_to_import: m.runtime_vars.total_number_to_import,
        ics_url: m.runtime_vars.ics_url // Used in runIcsImporter
    }, ...);
    
  3. Vulnerable Sink (PHP): The server-side function (inferred to be Sugar_Calendar\Admin\Importers\Ajax\handle_import or similar) receives the request. It verifies the nonce but fails to check if the user has the manage_options or edit_calendar_events capability.
  4. Execution: The importer associated with importer_slug (e.g., sugar-calendar-ics) is executed, processing data from the provided URL or local environment.

4. Nonce Acquisition Strategy

The nonce is localized in the sc_admin_importers (or sc_admin_ics_importers) object. This script is enqueued on the Sugar Calendar "Tools" page.

  1. Identify Page: The "Tools" page is typically located at wp-admin/admin.php?page=sugar-calendar-tools&tab=import.
  2. Navigation: Log in as a Contributor and navigate to the tools page. Note: Even if the UI elements are hidden by CSS/JS for Contributors, the script and its localized data are often still loaded if the admin_enqueue_scripts hook doesn't check capabilities properly.
  3. Extraction: Use browser_eval to extract the nonce:
    • Target Variable: window.sc_admin_importers?.nonce
    • Alternative: window.sc_admin_ics_importers?.nonce

5. Exploitation Strategy

We will attempt to trigger the ICS importer to fetch a remote file, demonstrating unauthorized control over the import process.

Step 1: Authentication

Log in as a Contributor user.

Step 2: Nonce Extraction

Navigate to the plugin's admin tools page and extract the nonce.

// Browser Eval
return window.sc_admin_importers?.nonce || window.sc_admin_ics_importers?.nonce;

Step 3: Trigger Unauthorized Import

Send an AJAX request to trigger the sugar-calendar-ics importer pointing to an attacker-controlled ICS file (or a valid public ICS URL to demonstrate the action).

Request via http_request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=sc_admin_importer&nonce=[EXTRACTED_NONCE]&importer_slug=sugar-calendar-ics&ics_url=https://raw.githubusercontent.com/manas-harsh/test-ics/main/test.ics
    

6. Test Data Setup

  1. User: Create a user with the contributor role.
  2. Plugin: Ensure Sugar Calendar (Lite) <= 3.9.1 is installed and active.
  3. Remote Resource: Have a URL for a valid .ics file (e.g., a GitHub raw link) ready to be used in the ics_url parameter.

7. Expected Results

  • The server should respond with a 200 OK and a JSON object indicating success or the start of the import process.
  • Example Success Response: {"success":true,"data":{"importer":{"status":"completed","progress":...}}}
  • If the vulnerability exists, the Contributor will successfully initiate the import, which should be restricted to Administrators.

8. Verification Steps

  1. Check for New Events: After the exploit, use WP-CLI to check if events from the ICS file were created:
    wp post list --post_type=sc_event
    
  2. Check Capability Enforcement: Attempt the same request without a nonce or with a fake nonce to confirm the nonce check is active but the capability check is missing.

9. Alternative Approaches

If the sugar-calendar-ics slug is not enabled or requires the Pro version, try using generic migration slugs that might be present in the Lite version's code, such as those targeting legacy plugin migrations:

  • Slug: sugar-calendar-lite-migration
  • Slug: the-events-calendar (if migration tools for other plugins are present).

If the "Tools" page is strictly blocked for Contributors, check if the nonce is available on the main Calendar dashboard: wp-admin/admin.php?page=sugar-calendar.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Sugar Calendar (Lite) plugin for WordPress is vulnerable to unauthorized access in versions up to 3.9.1 because it lacks a capability check on the server-side handler for the 'sc_admin_importer' AJAX action. This allows authenticated attackers with Contributor-level permissions or higher to initiate data imports, which could lead to unauthorized modification of calendar events or SSRF via the ICS import feature.

Vulnerable Code

// assets/admin/js/sc-admin-importers.js:583
runImporter(){
    n.post(sc_admin_importers.ajax_url,{
        nonce:sc_admin_importers.nonce,
        action:"sc_admin_importer",
        importer_slug:m.runtime_vars.importer_slug,
        total_number_to_import:m.runtime_vars.total_number_to_import
    },function(t){ ... });
}

---

// assets/admin/js/sc-admin-importers.js:605
runIcsImporter(t=!1){
    n.post(sc_admin_ics_importers.ajax_url,{
        nonce:sc_admin_ics_importers.nonce,
        action:"sc_admin_importer",
        importer_slug:m.runtime_vars.importer_slug,
        total_number_to_import:m.runtime_vars.total_number_to_import,
        ics_url:m.runtime_vars.ics_url,
        clear_cache:t
    },function(t){ ... });
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/sugar-calendar-lite/3.9.1/assets/admin/js/sc-admin-importers.js /home/deploy/wp-safety.org/data/plugin-versions/sugar-calendar-lite/3.10.0/assets/admin/js/sc-admin-importers.js
--- /home/deploy/wp-safety.org/data/plugin-versions/sugar-calendar-lite/3.9.1/assets/admin/js/sc-admin-importers.js	2025-10-03 06:43:16.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/sugar-calendar-lite/3.10.0/assets/admin/js/sc-admin-importers.js	2025-12-17 14:11:34.000000000 +0000
@@ -274,7 +274,7 @@
 						escapeKey: true,
 						animationBounce: 1,
 						type: 'orange',
-						icon: app.getIcon( 'exclamation-circle-solid-orange' ),
+						icon: app.getIcon( 'info-circle' ),
 						title: sc_admin_importers.strings.heads_up,
 						content: sc_admin_importers.strings.recurring_events_warning,
 						buttons: {
@@ -317,7 +317,7 @@
 						title: false,
 						content: app.runtime_vars.strings.please_select_file,
 						titleClass: 'sc-ics-importer-error-title',
-						icon: app.getIcon( 'exclamation-circle-solid-orange' ),
+						icon: app.getIcon( 'info-circle' ),
 						type: 'red',
 						buttons: {
 							confirm: {
@@ -593,7 +593,7 @@
 								title: false,
 								content: responseMessage,
 								titleClass: 'sc-ics-importer-error-title',
-								icon: app.getIcon( 'exclamation-circle-solid-orange' ),
+								icon: app.getIcon( 'info-circle' ),
 								type: 'red',
 								boxWidth: '400px',
 								buttons: {

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate with at least Contributor-level privileges. The attacker then retrieves a valid security nonce for the 'sc_admin_importer' action, which is often localized in the global 'sc_admin_importers' or 'sc_admin_ics_importers' JavaScript objects within the WordPress admin dashboard. Using this nonce, the attacker can send an AJAX POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'sc_admin_importer'. By specifying a target 'importer_slug' (such as 'sugar-calendar-ics') and providing an 'ics_url' pointing to an attacker-controlled file, the attacker can force the plugin to import malicious or unauthorized calendar data. Because the server fails to check if the current user has administrative capabilities (like 'manage_options'), the request is processed successfully.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.