Description
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
Published: 2026-04-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private calendar events via IDOR
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an injection flaw in the mc_ajax_mcjs_action AJAX endpoint, which accepts user‑supplied arguments without validation and passes them to parse_str(). An unauthenticated attacker can supply a particular site ID value, causing WordPress to invoke switch_to_blog() and switch context to any sub‑site on a Multisite network. This grants the attacker read access to calendar events that may be marked as private or hidden. On single‑site setups, the same call triggers a fatal PHP error, resulting in an unauthenticated denial of service. The flaw is an instance of CWE‑639, an Insecure Direct Object Reference error.

Affected Systems

The affected product is the My Calendar WordPress plugin developed by joedolson. Versions up to and including 3.7.6 are vulnerable. The issue manifests on WordPress Multisite networks, where it permits cross‑site data exposure, and on single‑site installations, where it causes a crash if the endpoint is accessed.

Risk and Exploitability

The vulnerability has a fixed CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated HTTP requests to the exposed AJAX endpoint present in all WordPress installations that host the plugin. No authentication or special privileges are required, making the attack path straightforward for any entity with network access to the site. The exploit facilitates the extraction of private calendar data from any sub‑site in a Multisite network, thereby compromising confidentiality and potentially enabling further reconnaissance or lateral movement.

Generated by OpenCVE AI on April 17, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the My Calendar plugin to version 3.7.7 or later, which removes the vulnerable AJAX handler.
  • If an upgrade cannot be performed immediately, temporarily disable the My Calendar plugin or block unauthenticated access to /wp-admin/admin-ajax.php via web‑server rules to eliminate the exposed endpoint.
  • Verify that the fix does not interfere with other WordPress functionalities and review any other plugins for similar IDOR vulnerabilities to ensure a comprehensive security posture.

Generated by OpenCVE AI on April 17, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2mvx-f5qm-v2ch Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Joedolson
Joedolson my-calendar
Wordpress
Wordpress wordpress
Vendors & Products Joedolson
Joedolson my-calendar
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
Title My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Joedolson My-calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T12:32:26.622Z

Reserved: 2026-04-10T21:41:54.504Z

Link: CVE-2026-40308

cve-icon Vulnrichment

Updated: 2026-04-17T12:32:10.097Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T22:16:38.940

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses