CVE-2026-4117 Overview
The CalJ plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) in all versions up to and including 1.5. The vulnerability exists due to a missing capability check in the CalJSettingsPage class constructor, which processes the save-obtained-key operation directly from POST data without verifying that the requesting user has the manage_options capability, and without any nonce verification.
The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which occurs for any authenticated user making requests to wp-admin URLs, including admin-ajax.php. This architectural flaw enables authenticated attackers with Subscriber-level access or above to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration.
Critical Impact
Authenticated attackers with minimal privileges (Subscriber-level) can hijack the plugin's API integration by modifying API key settings without authorization, potentially compromising calendar data integrity and service availability.
Affected Products
- CalJ plugin for WordPress version 1.5 and earlier
- WordPress installations with CalJ plugin and authenticated user accounts
- Sites allowing user registration with Subscriber role or higher
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-4117 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4117
Vulnerability Analysis
This vulnerability represents a fundamental access control failure in WordPress plugin design. The CalJ plugin fails to implement proper authorization checks before processing sensitive administrative operations, violating the principle of least privilege.
The root cause stems from the plugin's reliance on is_admin() as a security check, which is a common WordPress security anti-pattern. The is_admin() function merely checks if the current request is being made to an administrative page, not whether the user has administrative privileges. This distinction is critical—any authenticated user, including those with Subscriber roles, can trigger this function to return true by accessing wp-admin endpoints like admin-ajax.php.
The CalJSettingsPage class constructor directly processes POST data containing the save-obtained-key parameter without implementing two essential WordPress security mechanisms: capability verification via current_user_can('manage_options') and nonce validation via wp_verify_nonce(). This combination of missing controls creates a straightforward exploitation path for privilege escalation attacks.
Root Cause
The vulnerability originates from improper authorization logic in the CalJSettingsPage class. As documented in the WordPress Plugin Code Review, the class constructor processes the save-obtained-key operation without verifying user capabilities.
Additionally, the plugin bootstrap file instantiates CalJSettingsPage unconditionally whenever is_admin() returns true, expanding the attack surface to include all authenticated users accessing any wp-admin URL.
Attack Vector
The attack vector leverages the network-accessible nature of WordPress wp-admin endpoints combined with the plugin's missing authorization controls. An attacker with a low-privileged authenticated account can exploit this vulnerability through the following approach:
The attack begins with an authenticated session using any WordPress account with Subscriber-level privileges or higher. The attacker then crafts a POST request to any wp-admin URL (such as admin-ajax.php) containing the save-obtained-key parameter along with a malicious API key value. Since the CalJSettingsPage constructor processes this data without capability checks or nonce verification, the plugin accepts the new API key configuration.
This attack enables adversaries to redirect the plugin's API integration to attacker-controlled endpoints, clear cached calendar data, or disrupt the plugin's functionality. The lack of nonce verification also makes this vulnerability exploitable via Cross-Site Request Forgery (CSRF) attacks against authenticated users.
Detection Methods for CVE-2026-4117
Indicators of Compromise
- Unexpected modifications to CalJ plugin settings, particularly API key changes
- POST requests to wp-admin endpoints containing save-obtained-key parameter from non-administrator users
- Sudden cache clearing events in CalJ plugin logs without corresponding administrative actions
- API integration errors following unauthorized configuration changes
Detection Strategies
- Monitor WordPress database for changes to CalJ plugin options by non-administrative users
- Implement web application firewall rules to detect POST requests containing CalJ-specific parameters from low-privilege sessions
- Review Apache/Nginx access logs for wp-admin POST requests from users who should not have administrative access
- Deploy WordPress audit logging plugins to track plugin configuration changes with user attribution
Monitoring Recommendations
- Enable comprehensive audit logging for WordPress plugin settings modifications
- Configure alerts for CalJ API key changes occurring outside normal administrative workflows
- Implement real-time monitoring of wp-admin POST requests with plugin-specific parameter patterns
- Review user role assignments to ensure Subscriber accounts are not being used for unauthorized administrative operations
How to Mitigate CVE-2026-4117
Immediate Actions Required
- Update CalJ plugin to a version beyond 1.5 once a patched release becomes available
- Review WordPress user accounts and remove unnecessary Subscriber-level accounts
- Audit CalJ plugin settings for unauthorized modifications and restore legitimate API keys
- Implement web application firewall rules to block exploitation attempts targeting this vulnerability
Patch Information
Currently, the vulnerable version 1.5 is the latest release. Monitor the Wordfence Vulnerability Report and WordPress plugin repository for security updates. Administrators should subscribe to CalJ plugin update notifications and apply patches immediately upon release.
Workarounds
- Temporarily disable the CalJ plugin if not critically needed until a patch is available
- Restrict WordPress user registration to prevent creation of new Subscriber accounts
- Implement IP-based access restrictions for wp-admin endpoints
- Deploy a web application firewall with rules to filter POST requests containing save-obtained-key parameter from non-administrator sessions
# .htaccess rule to restrict wp-admin POST access (Apache)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/wp-admin/
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in.*administrator
RewriteCond %{QUERY_STRING} save-obtained-key [OR]
RewriteCond %{REQUEST_BODY} save-obtained-key
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
