Platform
wordpress
Component
wp-caldav2ics
Fixed in
1.3.5
CVE-2025-59131 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP-CalDav2ICS WordPress plugin. This flaw allows an attacker to trigger Stored Cross-Site Scripting (XSS) attacks, potentially leading to unauthorized actions and data compromise. The vulnerability affects versions from 0.0.0 up to and including 1.3.4. A patch is expected to be released by the plugin developer.
The CSRF vulnerability in WP-CalDav2ICS allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successfully exploiting this vulnerability can lead to Stored XSS, where attacker-controlled JavaScript code is stored on the server and executed when other users visit affected pages. This can result in session hijacking, redirection to phishing sites, defacement of the website, or even complete compromise of the WordPress installation. The attacker could steal sensitive user data, including login credentials and personal information, and potentially gain control over the entire WordPress site.
CVE-2025-59131 was publicly disclosed on 2025-12-30. Currently, no public proof-of-concept (PoC) code is available. The EPSS score is pending evaluation. It is recommended to monitor security advisories and vulnerability databases for updates on exploitation activity.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59131 is to upgrade the WP-CalDav2ICS plugin to a version containing the fix. Until a patched version is available, consider implementing temporary workarounds such as restricting access to the plugin's administrative interface and carefully reviewing any user input that is processed by the plugin. Implementing a Content Security Policy (CSP) can also help mitigate the impact of XSS attacks by restricting the sources from which scripts can be executed. Monitor WordPress logs for suspicious activity, particularly requests to plugin endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59131 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP-CalDav2ICS WordPress plugin, allowing for Stored XSS attacks.
You are affected if you are using WP-CalDav2ICS versions 0.0.0 through 1.3.4. Upgrade to a patched version as soon as it becomes available.
Upgrade the WP-CalDav2ICS plugin to the latest available version. Until then, restrict access and implement a Content Security Policy (CSP).
Currently, there are no confirmed reports of active exploitation, but it's crucial to apply the fix promptly.
Check the WP-CalDav2ICS plugin page on WordPress.org or the developer's website for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.