Cross-Site Request Forgery Vulnerability in Book a Room Event Calendar Plugin for WordPress
CVE-2026-9721

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Book A Room Event Calendar
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-9721?

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery due to insufficient nonce validation. This flaw allows unauthenticated attackers to modify critical database connection settings, including host, username, password, and database name, if they can trick an administrator into executing a malicious action. The lack of nonce fields in the settings forms means that the plugin does not verify that the requests are genuine, putting sites at risk especially if admin actions are improperly incentivized.

Affected Version(s)

Book a Room Event Calendar 0 <= 1.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/book-a-room-ev...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 27, 2026

Credit

swat

CVE-2026-9721 Data

JSON