{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14160", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T20:39:55.897Z", "datePublished": "2025-12-12T03:20:58.130Z", "dateUpdated": "2026-04-08T17:26:21.777Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:21.777Z"}, "affected": [{"vendor": "justdave", "product": "Upcoming for Calendly", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Upcoming for Calendly <= 1.2.4 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d66d6f36-ad16-40ba-b32f-f4aff6f8b494?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/trunk/includes/settings.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/tags/1.2.4/includes/settings.php#L33"}, {"url": "https://wordpress.org/plugins/upcoming-for-calendly/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3415892/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-11T14:28:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T18:37:16.841829Z", "id": "CVE-2025-14160", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T18:37:32.032Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14160", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T20:39:55.897Z", "datePublished": "2025-12-12T03:20:58.130Z", "dateUpdated": "2025-12-12T18:37:32.032Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:58.130Z"}, "affected": [{"vendor": "justdave", "product": "Upcoming for Calendly", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Upcoming for Calendly <= 1.2.4 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d66d6f36-ad16-40ba-b32f-f4aff6f8b494?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/trunk/includes/settings.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/tags/1.2.4/includes/settings.php#L33"}, {"url": "https://wordpress.org/plugins/upcoming-for-calendly/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3415892/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-11T14:28:42.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14160", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T18:37:16.841829Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T18:37:24.098Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14160", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:48.600", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/tags/1.2.4/includes/settings.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/trunk/includes/settings.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3415892/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/upcoming-for-calendly/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d66d6f36-ad16-40ba-b32f-f4aff6f8b494?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:28:56.843138+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.2.4 that includes proper nonce validation.", "If an upgrade is not immediately possible, edit the plugin\u2019s settings.php file to add nonce verification to the settings update handler, following WordPress security guidelines for protecting configuration changes.", "Ensure that the settings page checks that the current user has administrator capability before rendering the form, so that only authorized users can modify the API key."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized configuration change (API key alteration)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin \"Upcoming for Calendly\" published by justdave, in all releases up to and including version 1.2.4.", "description_and_impact": "The plugin lacks nonce validation on its settings update handler, creating a Cross\u2011Site Request Forgery flaw (CWE-352). An attacker who can convince a site administrator to click a forged link can trigger an update to the plugin\u2019s Calendly API key, effectively taking control of the API credentials and potentially enabling further data access or impersonation of the account.", "risk_and_exploitability": "The reported CVSS score of 4.3 indicates a low\u2011to\u2011moderate severity, while the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation in the wild. The weakness is not listed in the CISA KEV catalog. The attack vector is a web application request that requires an ordinary user to be tricked into visiting a crafted link; no authentication is required for the request itself but the action must be performed by an administrator or other user with permission to update plugin settings."}}}}, "created": "2025-12-12T08:48:04.359273+00:00", "updated": "2026-04-20T21:30:18.595466+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}