CVE-2026-40308: CWE-639: Authorization Bypass Through User-Controlled Key in joedolson my-calendar
A vulnerability in the My Calendar WordPress plugin (versions 3. 7. 6 and below) allows unauthenticated attackers to exploit an AJAX endpoint that improperly parses user-supplied input. On WordPress Multisite installations, this enables unauthorized access to calendar events from any sub-site by switching to arbitrary site IDs. On single-site installations, the flaw causes a PHP fatal error leading to denial of service. The issue is fixed in version 3. 7. 7.
AI Analysis
Technical Summary
The My Calendar plugin for WordPress versions 3.7.6 and earlier exposes an unauthenticated AJAX endpoint (mc_ajax_mcjs_action) that uses parse_str() on user input without validation. This allows injection of arbitrary parameters, including a 'site' value. On WordPress Multisite setups, attackers can invoke switch_to_blog() with arbitrary site IDs to access calendar events from other sub-sites, including private or hidden events, constituting an authorization bypass. On single-site setups, the absence of switch_to_blog() causes a fatal PHP error, resulting in an unauthenticated denial of service. The vulnerability is tracked as CVE-2026-40308 with a CVSS 4.0 score of 8.8 (high severity). The issue is resolved in My Calendar version 3.7.7.
Potential Impact
On WordPress Multisite installations, attackers can bypass authorization controls to access calendar events from any sub-site, including private or hidden events, potentially exposing sensitive information. On single-site installations, the vulnerability causes a PHP fatal error that crashes the worker thread, enabling an unauthenticated denial of service. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade the My Calendar plugin to version 3.7.7 or later, where this vulnerability has been fixed. No other mitigations are specified. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 3.7.7, indicating an official fix is available.
CVE-2026-40308: CWE-639: Authorization Bypass Through User-Controlled Key in joedolson my-calendar
Description
A vulnerability in the My Calendar WordPress plugin (versions 3. 7. 6 and below) allows unauthenticated attackers to exploit an AJAX endpoint that improperly parses user-supplied input. On WordPress Multisite installations, this enables unauthorized access to calendar events from any sub-site by switching to arbitrary site IDs. On single-site installations, the flaw causes a PHP fatal error leading to denial of service. The issue is fixed in version 3. 7. 7.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The My Calendar plugin for WordPress versions 3.7.6 and earlier exposes an unauthenticated AJAX endpoint (mc_ajax_mcjs_action) that uses parse_str() on user input without validation. This allows injection of arbitrary parameters, including a 'site' value. On WordPress Multisite setups, attackers can invoke switch_to_blog() with arbitrary site IDs to access calendar events from other sub-sites, including private or hidden events, constituting an authorization bypass. On single-site setups, the absence of switch_to_blog() causes a fatal PHP error, resulting in an unauthenticated denial of service. The vulnerability is tracked as CVE-2026-40308 with a CVSS 4.0 score of 8.8 (high severity). The issue is resolved in My Calendar version 3.7.7.
Potential Impact
On WordPress Multisite installations, attackers can bypass authorization controls to access calendar events from any sub-site, including private or hidden events, potentially exposing sensitive information. On single-site installations, the vulnerability causes a PHP fatal error that crashes the worker thread, enabling an unauthenticated denial of service. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade the My Calendar plugin to version 3.7.7 or later, where this vulnerability has been fixed. No other mitigations are specified. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 3.7.7, indicating an official fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T21:41:54.504Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e158cb82d89c981fcfb81d
Added to database: 4/16/2026, 9:46:51 PM
Last enriched: 4/16/2026, 10:01:50 PM
Last updated: 4/16/2026, 10:51:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.