CVE-2026-1987 MEDIUM

CVE-2026-1987: Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification

Vendor Morelmathieuj
Product Scheduler Widget
Weakness CWE-639 · IDOR
Published February 14, 2026
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.

Explanation of Vulnerability in Simple Terms

02Summary

The Scheduler Widget through version 0.1.6 contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with low-level account privileges can alter scheduling information or disable availability features. The vulnerability requires valid login credentials but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Modify or disable scheduler data and availability settings with a low-privilege account.

Potential impact on your site

04Site Impact

Users with basic accounts can tamper with scheduling features, potentially disrupting site operations or data integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges on the site.

Key dates

06Disclosure timeline

February 14, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE