CVE-2026-4117
Missing Authorization in CalJ WordPress Plugin Allows API Key Manipulation
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calj | calj | to 1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CalJ plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 1.5. This happens because the plugin does not check if the user has the proper permissions before processing certain operations. Specifically, the CalJSettingsPage class constructor processes the 'save-obtained-key' operation directly from POST data without verifying that the user has the 'manage_options' capability or any nonce verification.
Since the plugin initializes this settings page for any authenticated user accessing admin URLs, even users with low-level access like Subscribers can exploit this flaw. They can modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access (Subscriber and above) to modify critical plugin settings without proper authorization. They can change the API key used by the plugin and clear its cache, which could disrupt the plugin's functionality or allow attackers to hijack the plugin's API integration.
Such unauthorized changes could lead to loss of control over plugin behavior, potential data manipulation, or service disruption within the WordPress site.