Description
Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9.
Published: 2025-12-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that allows an attacker to bypass authorization controls by manipulating a user‑controlled key, enabling access to calendar events belonging to other users. This flaw results in unauthorized disclosure of calendar information and can compromise data confidentiality and integrity. The weakness is identified as CWE‑639 and can be triggered by a user who can execute plugin functions, potentially exposing sensitive scheduling data.

Affected Systems

Affected is the WordPress Google Calendar Events plugin developed by SimpleCalendar, versions from the earliest available release through version 3.5.9. Administrators should review any installations of this plugin on WordPress sites, as they may be vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the IDOR by interacting with the plugin’s user‑controlled keys typically through the web interface, requiring an authenticated session or a valid user role. The requirement of such prerequisites reduces exploit probability but still poses a meaningful risk for sites with broad admin permissions.

Generated by OpenCVE AI on April 29, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Google Calendar Events plugin to a version newer than 3.5.9 to apply the vendor fix.
  • Restrict access to the plugin’s functionality by limiting permissions to trusted administrator roles and disabling the plugin for users that do not need calendar features.
  • Audit existing calendar entries for potential unauthorized exposure and rotate any credentials or API keys that may have been compromised through the plugin.
  • Monitor site logs for unusual activity involving the plugin’s endpoints to detect attempted exploitation.

Generated by OpenCVE AI on April 29, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Simplecalendar
Simplecalendar google Calendar Events
Wordpress
Wordpress wordpress
Vendors & Products Simplecalendar
Simplecalendar google Calendar Events
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9.
Title WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Simplecalendar Google Calendar Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.469Z

Reserved: 2025-12-29T11:17:52.921Z

Link: CVE-2025-68979

cve-icon Vulnrichment

Updated: 2025-12-30T21:49:51.010Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:56.493

Modified: 2026-04-27T19:16:38.950

Link: CVE-2025-68979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:15:14Z

Weaknesses