CVE-2026-7525 MEDIUM

CVE-2026-7525: My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

Vendor Joedolson
Product My Calendar – Accessible Event Manager
Weakness CWE-862 · Missing authorization
Published May 14, 2026
Last update May 14, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.

Explanation of Vulnerability in Simple Terms

02Summary

My Calendar versions 3.7.9 and earlier lack proper authorization checks, allowing authenticated users to modify event data they should not have access to. A logged-in user with low privileges can alter calendar events without proper permission validation. The vulnerability affects the plugin's core event management functionality and requires an active user account to exploit.

What an attacker can do

03Attacker Capabilities

Modify calendar events belonging to other users or restricted event data.

Potential impact on your site

04Site Impact

Unauthorized users can alter or corrupt calendar events, potentially disrupting event scheduling and data integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account on the WordPress site with at least low-level privileges.

Key dates

06Disclosure timeline

May 14, 2026 CVE published
May 14, 2026 Record updated