CVE-2025-67592 identifies a Missing Authorization vulnerability in the Joe Dolson My Calendar WordPress plugin, versions up to and including 3.6.16. The vulnerability arises from improperly configured access control security levels, allowing authenticated users with low privileges to access or manipulate calendar data or functionality beyond their authorization scope. The issue is classified as a Missing Authorization flaw, meaning the plugin fails to enforce proper permission checks on certain actions or data views. The CVSS v3.1 base score is 4.3 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (low-level authenticated user), no user interaction, and impacting confidentiality only. The vulnerability does not affect data integrity or availability. No public exploits or patches are currently available, indicating the threat is theoretical but should be addressed proactively. The plugin is commonly used in WordPress environments to manage event calendars, and this flaw could expose sensitive scheduling or event information to unauthorized users. The root cause is a misconfiguration or omission in the plugin’s authorization logic, which should be corrected by implementing strict role-based access controls and validating user permissions before granting access to sensitive functions or data.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive calendar or event information, potentially exposing internal schedules, confidential meetings, or strategic planning data. While it does not allow modification or deletion of data, the confidentiality breach could facilitate further social engineering or targeted attacks. Organizations relying on the My Calendar plugin for internal or public event management may inadvertently expose information to low-privileged users or external attackers who have gained limited access. This risk is particularly relevant for sectors with sensitive scheduling needs, such as government agencies, financial institutions, healthcare providers, and large enterprises. The medium severity rating reflects limited impact on system integrity and availability but highlights the importance of confidentiality in organizational operations. The absence of known exploits reduces immediate risk but does not eliminate the need for timely remediation.

1. Immediately audit current My Calendar plugin configurations to identify and restrict access permissions, ensuring only authorized roles can access sensitive calendar data. 2. Temporarily disable or restrict the plugin’s use to trusted administrators or users until a security patch is released. 3. Monitor user activity logs for unusual access patterns or attempts to access unauthorized calendar information. 4. Implement strict role-based access control (RBAC) policies within WordPress to limit plugin access. 5. Keep WordPress core and all plugins updated, and subscribe to vendor or security mailing lists for patch announcements. 6. If possible, apply custom authorization checks or web application firewall (WAF) rules to block unauthorized access attempts targeting the plugin’s endpoints. 7. Conduct internal security awareness training to inform users about the risks of unauthorized data access and encourage reporting of suspicious activity.