CVE-2026-1310 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Simple calendar for Elementor plugin for WordPress, affecting all versions up to and including 1.6.6. The root cause is the absence of proper capability checks in the miga_ajax_editor_cal_delete function, which is hooked to the miga_editor_cal_delete AJAX action. This AJAX endpoint is accessible to both authenticated and unauthenticated users, and it processes requests to delete calendar entries. Although the function requires a valid nonce, the lack of authorization checks means that an attacker who can obtain or guess a valid nonce and provide a calendar entry ID can delete arbitrary calendar entries without any privileges. This flaw compromises the integrity of calendar data by allowing unauthorized deletion but does not affect confidentiality or availability. The vulnerability is remotely exploitable over the network without authentication or user interaction, making it relatively easy to exploit if a valid nonce is obtained. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The CVSS v3.1 base score is 5.3, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact low (I:L), and no availability impact (A:N).

The primary impact of this vulnerability is the unauthorized deletion of calendar entries, which compromises data integrity. For organizations relying on the Simple calendar for Elementor plugin to manage event information, this could lead to loss of critical scheduling data, disruption of event management workflows, and potential reputational damage if event information is manipulated or erased. Although confidentiality and availability are not directly affected, the integrity loss could indirectly impact business operations, especially for organizations that depend heavily on calendar data for internal coordination or customer-facing event management. The ease of exploitation without authentication increases the risk, particularly if attackers can obtain or predict valid nonces. Since no known exploits are currently reported, the immediate risk may be moderate, but the vulnerability remains a concern until patched. Organizations with public-facing WordPress sites using this plugin are at higher risk, especially those with high traffic or targeted by attackers seeking to disrupt operations or cause reputational harm.

To mitigate this vulnerability, organizations should first verify if they are using the Simple calendar for Elementor plugin version 1.6.6 or earlier and plan to update to a patched version once released by the vendor. In the absence of an official patch, administrators should consider disabling or restricting the affected AJAX action (miga_editor_cal_delete) by modifying plugin code or using WordPress hooks to enforce capability checks, ensuring only authorized users can invoke deletion functions. Implementing strict nonce validation and ensuring nonces are not easily guessable or exposed can reduce exploitation risk. Additionally, monitoring web server logs for suspicious AJAX requests targeting the miga_editor_cal_delete action can help detect attempted exploitation. Employing a Web Application Firewall (WAF) with custom rules to block unauthorized access to this AJAX endpoint can provide an additional layer of defense. Regular backups of calendar data should be maintained to enable recovery in case of data deletion. Finally, educating site administrators about the risks of unauthorized plugin actions and encouraging minimal plugin use can reduce the attack surface.