CVE-2026-1987 - Vulnerability Details

- Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification

Description

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.

Published: 2026-02-14

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Scheduler Widget plugin for WordPress is vulnerable to an insecure direct object reference in the scheduler_widget_ajax_save_event() handler. The function accepts an event id parameter but does not perform authorization checks or ownership verification, allowing any authenticated user who has Subscriber-level access or higher to modify the data of any event. This flaw can enable a user to change event schedules or details, potentially disrupting scheduled events or exposing sensitive information. The flaw is classified as CWE-639.

Affected Systems

All installations of the Scheduler Widget plugin for WordPress, from vendor morelmathieuj, with version 0.1.6 or earlier are affected. Any WordPress site that has installed this plugin and has users with Subscriber role or higher is potentially impacted.

Risk and Exploitability

The CVSS base score is 5.4, indicating moderate severity, and the EPSS score is less than 1%, implying a very low exploitation probability. The vulnerability is not currently listed in CISA's KEV catalog, suggesting it has not been widely exploited. An attacker would need to be authenticated on the site with a Subscriber role or higher and possess knowledge of the numeric event ID. Once authenticated, the attacker can send an AJAX request to the plugin’s save endpoint with the target event ID to create or alter any event. No additional conditions are specified, so the attack is relatively straightforward for an insider or compromised account.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

morelmathieuj

Scheduler Widget

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.1.6

No data.

Vendor Product Confidence Versions

Morelmathieuj

Scheduler Widget

—

Version	Status	Scheme	Platform
`[0,0.1.6]`	affected	semver	—

Wordpress

—

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Scheduler Widget plugin to a version with proper authorization checks for event modifications.
If an upgrade is not possible and the plugin is required, remove or disable the plugin to prevent exposure until a fix is released.
For sites that must continue to use the plugin, consider tightening role permissions so that Subscribers cannot perform event edits, or add custom code to enforce event ownership checks before invoking the AJAX handler.

Generated by OpenCVE AI on April 15, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://cwe.mitre.org/data/definitions/639.html
https://cwe.mitre.org/data/definitions/862.html
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References
https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158
https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve

History

Tue, 17 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Morelmathieuj Morelmathieuj scheduler Widget Wordpress Wordpress wordpress
Vendors & Products		Morelmathieuj Morelmathieuj scheduler Widget Wordpress Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
Title		Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification
Weaknesses		CWE-639
References		https://cwe.mitre.org/data/definitions/639.html https://cwe.mitre.org/data/definitions/862.html https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158 https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158 https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Morelmathieuj Scheduler Widget

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-14T06:42:37.284Z

Updated: 2026-04-08T17:34:57.193Z

Reserved: 2026-02-05T15:13:29.984Z

Link: CVE-2026-1987

Vulnrichment

Updated: 2026-02-17T15:36:29.585Z

NVD

Status : Deferred

Published: 2026-02-14T07:16:12.493

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1987

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object