Description
Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.
Published: 2026-03-16
Score: 5.3 Medium
EPSS: 3.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a missing authorization oversight in Webnus Inc.'s Modern Events Calendar plugin, where incorrectly configured security levels grant users unintended access to functions or data the plugin protects. This can allow a user to read or modify event information, user data, or configuration settings that should be limited to higher‑privileged accounts, effectively enabling privilege escalation within the WordPress installation.

Affected Systems

All installations of the Modern Events Calendar plugin version 7.29.0 and earlier are impacted; the vendor is Webnus Inc. and the product is the WordPress plugin Modern Events Calendar.

Risk and Exploitability

The CVSS score of 5.3 shows moderate severity, while an EPSS score of 3% suggests a low but non‑zero likelihood of exploitation; the flaw is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is a standard web request to the plugin’s endpoints, requiring no special initial conditions beyond accessing the site. Any user could exploit this misconfiguration to read or alter protected data, while authenticated users lacking sufficient permissions could still execute higher‑privilege functions, presenting a meaningful risk to confidentiality, integrity, and availability of the site’s event data.

Generated by OpenCVE AI on May 14, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Modern Events Calendar to the latest release that removes the missing authorization flaw.
  • If an upgrade cannot be performed immediately, uninstall or deactivate the plugin to eliminate the exposed functionality.
  • Adjust WordPress role capabilities so that only administrators or specifically authorized users can access event‑management actions within the plugin.

Generated by OpenCVE AI on May 14, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Webnus
Webnus modern Events Calendar
Wordpress
Wordpress wordpress
Vendors & Products Webnus
Webnus modern Events Calendar
Wordpress
Wordpress wordpress

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.
Title WordPress Modern Events Calendar plugin <= 7.29.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Webnus Modern Events Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-16T17:53:41.571Z

Reserved: 2026-03-12T11:12:57.708Z

Link: CVE-2026-32583

cve-icon Vulnrichment

Updated: 2026-03-16T17:53:37.859Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T16:16:15.577

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-32583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:45:23Z

Weaknesses