What the vulnerability does
01Description
The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
Explanation of Vulnerability in Simple Terms
02Summary
The Scheduler Widget through version 0.1.6 contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with low-level account privileges can alter scheduling information or disable availability features. The vulnerability requires valid login credentials but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Modify or disable scheduler data and availability settings with a low-privilege account.
Potential impact on your site
04Site Impact
Users with basic accounts can tamper with scheduling features, potentially disrupting site operations or data integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges on the site.
Key dates
06Disclosure timeline
February 14, 2026
CVE published
April 8, 2026
Record updated