Description
The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID.
Published: 2026-01-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Deletion of calendar entries by unauthenticated users
Action: Upgrade Plugin
AI Analysis

Impact

The Simple calendar for Elementor plugin for WordPress contains a missing authorization check on the miga_ajax_editor_cal_delete function, which is hooked to the miga_editor_cal_delete AJAX action and exposed to both authenticated and unauthenticated requests. An attacker can send a request that includes a valid nonce and a specific calendar entry ID to the AJAX handler, causing that entry to be deleted. Since the action bypasses all capability checks, unauthenticated users are able to remove arbitrary entries, leading to unintended loss of content and potential disruption of calendar functionality for site users. This flaw is identified as CWE-862, "Missing Authorization".

Affected Systems

WordPress sites that have installed the migaweb Simple calendar for Elementor plugin, versions 1.6.6 and earlier. The vulnerability is present in any deployment of these plugin versions because the insecure AJAX action is registered unconditionally.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of real‑world exploitation at present. The likely attack vector is a web‑based AJAX request that includes a valid nonce; the requirement for a nonce may constrain immediate exploitation but does not eliminate the risk if an attacker can acquire or guess a nonce from the site context. Overall, the threat is moderate but the current probability of exploitation is low.

Generated by OpenCVE AI on April 15, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Simple calendar for Elementor to the latest release (1.6.7 or newer) where the AJAX handler enforces proper capability checks.
  • If an upgrade is not immediately possible, block unauthenticated access to the miga_editor_cal_delete AJAX action, for example by disabling the action or by configuring a firewall rule that requires authentication for any request to /wp-admin/admin-ajax.php with the action miga_editor_cal_delete.
  • Apply a site‑wide content or access restriction to delete operations via a security plugin or web‑application firewall, ensuring that only users with appropriate roles can trigger deletion of calendar entries.

Generated by OpenCVE AI on April 15, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Migaweb
Migaweb simple Calendar For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Migaweb
Migaweb simple Calendar For Elementor
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID.
Title Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Migaweb Simple Calendar For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:46.743Z

Reserved: 2026-01-21T20:23:26.889Z

Link: CVE-2026-1310

cve-icon Vulnrichment

Updated: 2026-01-28T14:50:16.758Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T07:16:00.900

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses