{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4117", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T13:19:56.963Z", "datePublished": "2026-04-22T07:45:41.691Z", "dateUpdated": "2026-04-22T07:45:41.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:41.691Z"}, "affected": [{"vendor": "calj", "product": "CalJ Shabbat Times", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the requesting user has the 'manage_options' capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration."}], "title": "CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1c7df8e-2f82-4474-88ef-8c8ddaeb4656?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/calj.php#L17"}, {"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/calj.php#L17"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-04-21T19:08:40.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the requesting user has the 'manage_options' capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration."}], "id": "CVE-2026-4117", "lastModified": "2026-04-22T09:16:23.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:23.027", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/calj.php#L17"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/calj/trunk/calj.php#L17"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1c7df8e-2f82-4474-88ef-8c8ddaeb4656?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:51:57.129496+00:00", "value": {"mitigation_remediation": ["Update the CalJ Shabbat Times plugin to the most recent version available, ensuring that capability verifications and nonce checks are in place for the 'save-obtained-key' action. ", "If an update is not feasible, disable or uninstall the CalJ plugin to eliminate the risk. ", "Restrict the Subscriber role from accessing wp-admin and admin-ajax endpoints or use a plugin to block the 'save-obtained-key' action for non-privileged users, ensuring only those with 'manage_options' capability can trigger the operation."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Settings Modification via Administrator API Key Update"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the CalJ Shabbat Times plugin version 1.5 or earlier are affected, as the vulnerability resides in the CalJSettingsPage constructor and is triggered whenever the admin context is detected (for any authenticated admin or subscriber accessing wp-admin or admin-ajax). The plugin allows an attacker to modify the settings via the 'save-obtained-key' action because no capability check nor nonce verification is performed. Sites using CalJ 1.5 or older, with at least a Subscriber role, are therefore at risk.", "description_and_impact": "The CalJ Shabbat Times WordPress plugin is vulnerable to missing authorization (CWE-862) in all versions up to 1.5, as the CalJSettingsPage constructor processes the 'save-obtained-key' POST action without verifying that the user has 'manage_options' or even checking a nonce, allowing any authenticated user with Subscriber-level access or higher to modify the plugin\u2019s API key and clear its cache, effectively taking control of the external API integration. This does not provide arbitrary code execution but permits an attacker to alter the plugin\u2019s configuration and disrupt its intended operation.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the requirement for authentication means that the attack can only be carried out by users who are logged in to WordPress. No known public exploit or KEV listing exists, and the EPSS score is currently unavailable, leaving the current exploitation probability uncertain. Based on the description, the likely attack vector is a crafted POST request to the admin interface that includes the 'save-obtained-key' action; an authenticated attacker could exploit the missing authorization and lack of nonce to modify the plugin's API key and cache without needing elevated privileges beyond Subscriber."}}}}, "created": "2026-04-22T10:00:10.250144+00:00", "updated": "2026-04-22T10:00:10.250156+00:00", "vendors": []}