CVE-2026-40308: CWE-639: Authorization Bypass Through User-Controlled Key in joedolson my-calendar
A vulnerability in the My Calendar WordPress plugin (versions 3. 7. 6 and below) allows unauthenticated attackers to exploit an AJAX endpoint that improperly parses user-supplied parameters. On WordPress Multisite installations, this enables unauthorized access to calendar events from any sub-site by switching to arbitrary site IDs. On single-site installations, the flaw causes a PHP fatal error leading to denial of service. The issue is fixed in version 3. 7. 7.
AI Analysis
Technical Summary
The My Calendar plugin for WordPress versions 3.7.6 and earlier exposes an unauthenticated AJAX endpoint (mc_ajax_mcjs_action) that uses parse_str() on user input without validation. This allows injection of arbitrary parameters, including a site identifier. On WordPress Multisite setups, attackers can invoke switch_to_blog() with arbitrary site IDs to access calendar events from any sub-site, including private or hidden ones. On single-site setups, the absence of switch_to_blog() causes a fatal PHP error, crashing the worker thread and resulting in a denial of service. The vulnerability is tracked as CVE-2026-40308 with a CVSS 4.0 score of 8.8 (high severity). It has been fixed in version 3.7.7 of the plugin.
Potential Impact
On WordPress Multisite installations, this vulnerability allows unauthenticated attackers to bypass authorization controls and access calendar events from any sub-site, including private or hidden events, potentially exposing sensitive information. On single-site installations, the vulnerability causes a denial of service by crashing the PHP worker thread due to an uncaught fatal error. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade the My Calendar plugin to version 3.7.7 or later, where this vulnerability has been fixed. No other mitigations are specified. Patch status is confirmed by the vendor's versioning information. Until upgraded, consider restricting access to the vulnerable AJAX endpoint if possible.
CVE-2026-40308: CWE-639: Authorization Bypass Through User-Controlled Key in joedolson my-calendar
Description
A vulnerability in the My Calendar WordPress plugin (versions 3. 7. 6 and below) allows unauthenticated attackers to exploit an AJAX endpoint that improperly parses user-supplied parameters. On WordPress Multisite installations, this enables unauthorized access to calendar events from any sub-site by switching to arbitrary site IDs. On single-site installations, the flaw causes a PHP fatal error leading to denial of service. The issue is fixed in version 3. 7. 7.
CVSS v4.0
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The My Calendar plugin for WordPress versions 3.7.6 and earlier exposes an unauthenticated AJAX endpoint (mc_ajax_mcjs_action) that uses parse_str() on user input without validation. This allows injection of arbitrary parameters, including a site identifier. On WordPress Multisite setups, attackers can invoke switch_to_blog() with arbitrary site IDs to access calendar events from any sub-site, including private or hidden ones. On single-site setups, the absence of switch_to_blog() causes a fatal PHP error, crashing the worker thread and resulting in a denial of service. The vulnerability is tracked as CVE-2026-40308 with a CVSS 4.0 score of 8.8 (high severity). It has been fixed in version 3.7.7 of the plugin.
Potential Impact
On WordPress Multisite installations, this vulnerability allows unauthenticated attackers to bypass authorization controls and access calendar events from any sub-site, including private or hidden events, potentially exposing sensitive information. On single-site installations, the vulnerability causes a denial of service by crashing the PHP worker thread due to an uncaught fatal error. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade the My Calendar plugin to version 3.7.7 or later, where this vulnerability has been fixed. No other mitigations are specified. Patch status is confirmed by the vendor's versioning information. Until upgraded, consider restricting access to the vulnerable AJAX endpoint if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T21:41:54.504Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e158cb82d89c981fcfb81d
Added to database: 4/16/2026, 9:46:51 PM
Last enriched: 4/24/2026, 4:21:09 PM
Last updated: 5/31/2026, 6:40:54 AM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.