What the vulnerability does
01Description
The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID.
Explanation of Vulnerability in Simple Terms
02Summary
Simple Calendar for Elementor versions up to 1.6.6 lack proper authorization checks, allowing unauthenticated attackers to modify calendar data. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 1.6.6 to prevent unauthorized calendar modifications.
What an attacker can do
03Attacker Capabilities
Modify calendar data without authentication or permission.
Potential impact on your site
04Site Impact
Attackers can alter calendar events and content visible to site visitors without your knowledge or consent.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 28, 2026
CVE published
April 8, 2026
Record updated