CVE-2022-3852: 
WordPress vulnerability analysis and mitigation

The VR Calendar plugin for WordPress (versions up to 2.3.3) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2022-3852. The vulnerability was discovered in November 2022 and stems from missing or incorrect nonce validation on several functions (NVD, Wordfence).

The vulnerability arises from inadequate CSRF protection mechanisms in the plugin's administrative functions. The issue specifically relates to missing nonce validation on several functions that handle calendar management operations. The vulnerability has received a CVSS v3.1 base score of 6.5 (MEDIUM) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, while Wordfence assessed it at 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability allows unauthenticated attackers to delete and modify calendars as well as plugin settings through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (NVD).

The vulnerability has been patched in version 2.3.4 of the VR Calendar plugin. The fix implements proper WordPress nonce validation checks to prevent CSRF attacks (WordPress Plugin).