CVE-2022-47427: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Joseph C Dolson My Calendar WordPress plugin versions 3.3.24.1 and below. The vulnerability was publicly disclosed on January 4, 2023, and was assigned the identifier CVE-2022-47427. The issue was fixed in version 3.3.25 of the plugin (Patchstack).

The vulnerability stems from the plugin's lack of CSRF protection mechanisms when handling event and location deletion operations. This security flaw received varying CVSS scores from different sources: NIST assigned it a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as medium severity with a score of 5.4. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, WPScan).

The vulnerability could allow attackers to force authenticated administrators to perform unauthorized deletion of events and locations within the My Calendar plugin without their knowledge or consent (WPScan).

The vulnerability has been patched in version 3.3.25 of the My Calendar plugin. Users are advised to update to this version or later to remediate the security issue. The patch priority is considered low, and the vulnerability is unlikely to be exploited (Patchstack).