Plattform
wordpress
Komponente
wp-caldav2ics
Behoben in
1.3.5
CVE-2025-59131 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP-CalDav2ICS WordPress plugin. This vulnerability allows an attacker to trigger Stored XSS attacks, potentially leading to unauthorized code execution and data theft. The vulnerability affects versions from 0.0.0 through 1.3.4. A patch is expected to be released by the plugin developer.
The CSRF vulnerability in WP-CalDav2ICS allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successfully exploiting this vulnerability can lead to Stored XSS. An attacker could inject malicious JavaScript code into the plugin's data storage, which would then be executed in the browsers of other users accessing the affected WordPress site. This could result in session hijacking, defacement of the website, or the theft of sensitive user data, including credentials and personal information. The impact is amplified if the WordPress site handles sensitive data or is used for critical business operations.
CVE-2025-59131 was publicly disclosed on 2025-12-30. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is considered HIGH (CVSS 7.1). It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the presence of a CSRF leading to Stored XSS warrants immediate attention and mitigation.
Websites using the WP-CalDav2ICS plugin, particularly those running older, unpatched versions (0.0.0–1.3.4), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "wp-caldav2ics" /var/www/html/
wp plugin list | grep WP-CalDav2ICS• generic web:
curl -I https://example.com/wp-content/plugins/wp-caldav2ics/ | grep -i 'wp-caldav2ics'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59131 is to upgrade to a patched version of the WP-CalDav2ICS plugin as soon as it becomes available. Until a patch is released, consider disabling the plugin if it's not essential. As a temporary workaround, implement strict input validation and output escaping within the plugin's code to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. Regularly review WordPress plugin configurations and user permissions to minimize the attack surface.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59131 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP-CalDav2ICS WordPress plugin, allowing for Stored XSS attacks.
You are affected if you are using WP-CalDav2ICS versions 0.0.0 through 1.3.4. Upgrade to a patched version as soon as it becomes available.
Upgrade the WP-CalDav2ICS plugin to the latest available version. Until then, restrict access and implement a Content Security Policy (CSP).
Currently, there are no confirmed reports of active exploitation, but it's crucial to apply the fix promptly.
Check the WP-CalDav2ICS plugin page on WordPress.org or the developer's website for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.