What the vulnerability does
01Description
The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.
Explanation of Vulnerability in Simple Terms
02Summary
Private Google Calendars contains an authorization flaw that allows authenticated users to modify calendar data they should not have access to. An attacker with a low-privilege account can alter calendar entries or settings belonging to other users. The vulnerability affects all versions up to August 11, 2025. A patched version has not yet been publicly identified.
What an attacker can do
03Attacker Capabilities
Modify or alter calendar data belonging to other users without proper authorization.
Potential impact on your site
04Site Impact
Users' calendar data can be modified by other authenticated users, compromising data integrity and user trust.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege account on the site or service.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated