Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update
Description
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settings_form()/update_settings() functionality. The plugin's options page handler dispatches on the 'action' POST parameter and calls update_settings(), which persists plugin configuration (including the external database host, username, password, prefix, database name, encryption key, and registration page URL) via update_option(), without ever generating a nonce field in the settings form or verifying one (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce() exists anywhere in the plugin). This makes it possible for unauthenticated attackers to modify the plugin's database connection settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.9
Patches
Vulnerability mechanics
Root cause
"Missing or incorrect nonce validation on the settings form allows Cross-Site Request Forgery."
Attack vector
An unauthenticated attacker can craft a forged HTTP POST request targeting the plugin's settings page, supplying values for `bookaroom_events_db_host`, `bookaroom_events_db_username`, `bookaroom_events_db_password`, `bookaroom_events_db_database`, `bookaroom_events_db_key`, `bookaroom_events_prefix`, and `bookaroom_events_regpage_URL`. Because the plugin lacks any CSRF protection (no nonce validation), the attacker only needs to trick a logged-in site administrator into clicking a link or submitting a form that triggers this request. The `update_settings()` method then writes the attacker-controlled values into the WordPress options table via `update_option()` [ref_id=1][ref_id=2][ref_id=3].
Affected code
The vulnerability resides in `bookaroom-events-settings.php`. The `settings_form()` handler dispatches on the `action` POST parameter and calls `update_settings()`, which persists plugin configuration via `update_option()` without ever generating a nonce field or verifying one — no `wp_nonce_field()`, `check_admin_referer()`, or `wp_verify_nonce()` exists anywhere in the plugin [ref_id=1][ref_id=2][ref_id=3].
What the fix does
The advisory states that the plugin is missing or has incorrect nonce validation on the `settings_form()`/`update_settings()` functionality. No patch is shown in the bundle; the remediation would require adding `wp_nonce_field()` to the settings form and calling `check_admin_referer()` or `wp_verify_nonce()` before processing the submitted data. Without these additions, any POST request to the settings endpoint is accepted without verifying its origin.
Preconditions
- authThe attacker must trick a logged-in WordPress administrator into performing an action (e.g., clicking a link or submitting a form) that sends a forged POST request to the plugin's settings page.
- inputThe attacker's forged request must include the 'action' POST parameter and any of the plugin's database/registration settings parameters.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/book-a-room-event-calendar/trunk/bookaroom-events-settings.phpmitre
- plugins.trac.wordpress.org/browser/book-a-room-event-calendar/trunk/bookaroom-events-settings.phpmitre
- plugins.trac.wordpress.org/browser/book-a-room-event-calendar/trunk/bookaroom-events-settings.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/18b77c9b-6614-4a3f-a003-54567d9c4408mitre
News mentions
0No linked articles in our index yet.