CVE-2026-1987 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the morelmathieuj Scheduler Widget plugin for WordPress. The flaw exists in the scheduler_widget_ajax_save_event() function, which handles AJAX requests to update scheduler events. This function fails to perform adequate authorization checks or verify event ownership before allowing modifications. As a result, any authenticated user with Subscriber-level privileges or higher can manipulate the 'id' parameter to update events they do not own, leading to unauthorized modification of scheduler data. The vulnerability affects all versions up to and including 0.1.6. The CVSS v3.1 base score is 5.4 (medium severity) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating network exploitable, low attack complexity, requiring privileges but no user interaction, and impacting integrity and availability but not confidentiality. No patches or known exploits are currently available. This vulnerability could be leveraged to disrupt scheduling operations, potentially causing denial of service or data integrity issues within affected WordPress sites.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of scheduling data managed via the morelmathieuj Scheduler Widget on WordPress platforms. Unauthorized modification of scheduler events could disrupt business operations, cause scheduling conflicts, or result in denial of service conditions if critical events are altered or deleted. Although confidentiality is not directly impacted, the integrity loss could undermine trust in internal or customer-facing scheduling systems. Organizations relying on this plugin for event management—such as educational institutions, healthcare providers, or service companies—may experience operational disruptions. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with weak user access controls or where Subscriber-level accounts are widely distributed. The absence of patches increases the urgency for interim mitigations.

1. Immediately audit user roles and permissions within WordPress to ensure that Subscriber-level accounts are strictly controlled and limited to trusted users. 2. Implement additional access control mechanisms such as web application firewalls (WAFs) to detect and block suspicious AJAX requests attempting to modify scheduler events. 3. Monitor logs for unusual activity related to the scheduler_widget_ajax_save_event() function, particularly modifications to event IDs by non-administrative users. 4. Restrict access to the WordPress admin and AJAX endpoints using IP whitelisting or VPNs where feasible. 5. Consider disabling or replacing the morelmathieuj Scheduler Widget plugin until an official patch is released. 6. If custom development resources are available, implement temporary server-side authorization checks to verify event ownership before allowing updates. 7. Educate users about the risk of sharing event IDs and credentials to reduce the likelihood of exploitation. 8. Stay alert for vendor updates or patches and apply them promptly once available.