Missing Authorization Vulnerability in CalJ Plugin for WordPress
CVE-2026-4117

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Calj Shabbat Times
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-4117?

The CalJ plugin for WordPress is susceptible to a vulnerability due to absent capability verifications in the CalJSettingsPage class constructor. This oversight allows any authenticated user with Subscriber access or higher to make unauthorized modifications to the plugin's API settings and clear the associated cache. The issue arises as the plugin processes data directly from user POST requests without enforcing proper permissions or nonce validation, potentially enabling attackers to exploit the plugin’s functionality from admin interfaces, thereby affecting its API integrations.

Affected Version(s)

CalJ Shabbat Times 0 <= 1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/calj/trunk/Cal...

https://plugins.trac.wordpress.org/browser/calj/tags/1.5/...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Nabil Irawan

CVE-2026-4117 Data

JSON