Platform
wordpress
Component
upcoming-for-calendly
Fixed in
1.2.5
CVE-2025-14160 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the Upcoming for Calendly plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings, specifically the Calendly API key, potentially disrupting scheduling integrations and gaining unauthorized access. The vulnerability impacts versions 1.0.0 through 1.2.4, and a patch is available in version 1.2.5.
The primary impact of this XSRF vulnerability lies in the ability of an attacker to modify the Upcoming for Calendly plugin's Calendly API key. Successful exploitation allows an attacker to impersonate the legitimate Calendly integration, potentially scheduling unauthorized events, accessing sensitive user data associated with those events, and disrupting the scheduling process. This could lead to denial of service or even data breaches if the Calendly integration handles sensitive information. The attack requires tricking a site administrator into clicking a malicious link, highlighting the importance of user awareness and security best practices.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (POC) code has been released at the time of writing, but the relatively straightforward nature of XSRF vulnerabilities suggests that a POC could emerge. The vulnerability's severity is rated as MEDIUM, indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Upcoming for Calendly plugin to version 1.2.5 or later, which addresses the missing nonce validation. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing strict input validation on the Calendly API key settings page to prevent malicious input. Additionally, enforce strong password policies and implement multi-factor authentication for all WordPress administrator accounts to reduce the risk of account compromise and subsequent exploitation. After upgrading, confirm the fix by attempting to update the Calendly API key via a crafted request and verifying that the action is rejected.
Update to version 1.2.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14160 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Upcoming for Calendly WordPress plugin, allowing attackers to potentially modify the Calendly API key.
You are affected if you are using Upcoming for Calendly plugin versions 1.0.0 through 1.2.4.
Upgrade the Upcoming for Calendly plugin to version 1.2.5 or later to resolve the vulnerability.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for future exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.