What the vulnerability does
01Description
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
Explanation of Vulnerability in Simple Terms
02Summary
My Calendar versions 3.7.9 and earlier lack proper authorization checks, allowing authenticated users to modify event data they should not have access to. A logged-in user with low privileges can alter calendar events without proper permission validation. The vulnerability affects the plugin's core event management functionality and requires an active user account to exploit.
What an attacker can do
03Attacker Capabilities
Modify calendar events belonging to other users or restricted event data.
Potential impact on your site
04Site Impact
Unauthorized users can alter or corrupt calendar events, potentially disrupting event scheduling and data integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the WordPress site with at least low-level privileges.
Key dates
06Disclosure timeline
May 14, 2026
CVE published
May 14, 2026
Record updated