CVE-2026-4117

Name of the Vulnerable Software and Affected Versions CalJ versions prior to 1.6

Description The CalJ plugin for WordPress contains a missing authorization flaw. The CalJSettingsPage class constructor processes the 'save-obtained-key' operation from POST data without verifying if the user possesses the manage options capability and without performing nonce verification. Because the calj.php bootstrap file instantiates CalJSettingsPage for any authenticated user accessing wp-admin URLs, such as 'admin-ajax.php', users with Subscriber-level access or higher can modify the API key setting and clear the Shabbat cache, allowing them to control the API integration.

Recommendations Update to a version later than 1.5.