Description
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The My Calendar plugin for WordPress lacks proper server‑side authorization checks on event approval parameters. An attacker who is logged in with a custom‑level or higher role can modify the POST body to set the event_approved flag or other status fields such as cancelled or private. Because the user interface performs the role check only on the client side, the server accepts the altered values without verification, allowing the attacker to publish, cancel, or privatize events that their role normally cannot manage. The vulnerability does not provide direct remote code execution but can lead to data integrity violations, undesired scheduling, and potential loss of trust in the event system.

Affected Systems

WordPress sites running the My Calendar – Accessible Event Manager plugin, version 3.7.9 or older. All users with at least a custom‑level role—typically administrators, editors, and similar privileged users—are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The exploit requires authenticated access with a custom‑level or higher role; no known public exploit is listed in KEV, and EPSS score is not available. Because the plugin performs no server‑side validation, the attack remains feasible as soon as a user with sufficient privileges gains network access to the site. The risk primarily affects event integrity and availability on sites that rely on the approval workflow for scheduling.

Generated by OpenCVE AI on May 14, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the My Calendar plugin to the latest available version to restore proper server‑side authorization checks for event approval.
  • If an upgrade cannot be performed immediately, adjust role capabilities to remove high‑privilege users from the ability to set event approval status, for example by revoking the "publish_mycalendar_events" capability from custom and related roles.
  • Verify that the event_approved POST parameter is not accepted for users with insufficient privileges by submitting a test request and confirming that the server rejects it with an appropriate error.

Generated by OpenCVE AI on May 14, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Joedolson
Joedolson my Calendar – Accessible Event Manager
Wordpress
Wordpress wordpress
Vendors & Products Joedolson
Joedolson my Calendar – Accessible Event Manager
Wordpress
Wordpress wordpress

Thu, 14 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
Title My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Joedolson My Calendar – Accessible Event Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:47:55.384Z

Reserved: 2026-04-30T17:19:49.647Z

Link: CVE-2026-7525

cve-icon Vulnrichment

Updated: 2026-05-14T10:47:50.323Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T05:16:45.947

Modified: 2026-05-14T14:29:01.600

Link: CVE-2026-7525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T06:00:11Z

Weaknesses