CVE-2025-28958 in Bg Orthodox Calendar Plugin
Summary
by MITRE • 06/06/2025
Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/06/2025
This cross-site request forgery vulnerability in the Bg Orthodox Calendar plugin presents a critical security risk that combines CSRF with stored cross-site scripting capabilities. The vulnerability exists within the plugin's handling of user input and request processing mechanisms, creating a scenario where malicious actors can manipulate the application's behavior while simultaneously executing arbitrary scripts in the context of authenticated users. The affected versions span from the initial release through 0.13.10, indicating a prolonged period during which this security flaw has been present and exploitable.
The technical flaw stems from insufficient validation and sanitization of user-supplied data within the plugin's administrative interfaces and form processing components. When users submit data through web forms or make requests to the calendar plugin's endpoints, the application fails to properly verify the authenticity of these requests through adequate CSRF protection mechanisms. This weakness allows attackers to craft malicious requests that appear legitimate to the server while simultaneously storing XSS payloads within the application's data storage systems. The combination of these vulnerabilities creates a particularly dangerous attack vector where the initial CSRF exploitation leads to persistent XSS execution.
The operational impact of this vulnerability extends beyond typical CSRF scenarios as it enables attackers to establish persistent malicious presence within the affected system. Once exploited, the stored XSS payloads can execute in the context of any user who accesses the compromised calendar data, potentially leading to session hijacking, credential theft, or further escalation attacks. The vulnerability affects not only the plugin's functionality but also compromises the overall security posture of the WordPress installation where it resides. Attackers can leverage this weakness to manipulate calendar entries, inject malicious scripts into user sessions, and potentially gain unauthorized access to sensitive information or system resources.
Security professionals should consider this vulnerability in the context of CWE-352 which specifically addresses cross-site request forgery weaknesses, and CWE-79 which covers cross-site scripting vulnerabilities. The ATT&CK framework would classify this as a privilege escalation technique through web application exploitation, potentially leading to initial access and persistence phases. Organizations should immediately implement mitigations including proper CSRF token validation, input sanitization, and output encoding measures. The recommended approach involves updating to the latest version of the Bg Orthodox Calendar plugin, implementing additional web application firewall rules, and conducting thorough security audits of all plugin components to identify similar vulnerabilities. Additionally, administrators should review and enhance their overall security monitoring capabilities to detect potential exploitation attempts and implement proper access controls to limit the impact of any successful attacks.