{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40308", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.504Z", "datePublished": "2026-04-16T21:30:52.401Z", "dateUpdated": "2026-04-17T12:32:26.622Z"}, "containers": {"cna": {"title": "My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"}, {"name": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7"}], "affected": [{"vendor": "joedolson", "product": "my-calendar", "versions": [{"version": "< 3.7.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T21:30:52.401Z"}, "descriptions": [{"lang": "en", "value": "My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7."}], "source": {"advisory": "GHSA-2mvx-f5qm-v2ch", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T12:32:21.737938Z", "id": "CVE-2026-40308", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:32:26.622Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40308", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T12:32:21.737938Z"}}}], "references": [{"url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:32:10.097Z"}}], "cna": {"title": "My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog", "source": {"advisory": "GHSA-2mvx-f5qm-v2ch", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "joedolson", "product": "my-calendar", "versions": [{"status": "affected", "version": "< 3.7.7"}]}], "references": [{"url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch", "name": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7", "name": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T21:30:52.401Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40308", "state": "PUBLISHED", "dateUpdated": "2026-04-17T12:32:26.622Z", "dateReserved": "2026-04-10T21:41:54.504Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-16T21:30:52.401Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7."}], "id": "CVE-2026-40308", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T22:16:38.940", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "my-calendar", "source": "cna", "vendor": "joedolson"}, "product": "my-calendar", "vendor": "joedolson"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T02:25:33.716950+00:00", "value": {"mitigation_remediation": ["Upgrade the My Calendar plugin to version 3.7.7 or later, which removes the vulnerable AJAX handler.", "If an upgrade cannot be performed immediately, temporarily disable the My Calendar plugin or block unauthenticated access to /wp-admin/admin-ajax.php via web\u2011server rules to eliminate the exposed endpoint.", "Verify that the fix does not interfere with other WordPress functionalities and review any other plugins for similar IDOR vulnerabilities to ensure a comprehensive security posture."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to private calendar events via IDOR"}, "threat_synthesis": {"affected_systems": "The affected product is the My Calendar WordPress plugin developed by joedolson. Versions up to and including 3.7.6 are vulnerable. The issue manifests on WordPress Multisite networks, where it permits cross\u2011site data exposure, and on single\u2011site installations, where it causes a crash if the endpoint is accessed.", "description_and_impact": "The vulnerability is an injection flaw in the mc_ajax_mcjs_action AJAX endpoint, which accepts user\u2011supplied arguments without validation and passes them to parse_str(). An unauthenticated attacker can supply a particular site ID value, causing WordPress to invoke switch_to_blog() and switch context to any sub\u2011site on a Multisite network. This grants the attacker read access to calendar events that may be marked as private or hidden. On single\u2011site setups, the same call triggers a fatal PHP error, resulting in an unauthenticated denial of service. The flaw is an instance of CWE\u2011639, an Insecure Direct Object Reference error.", "risk_and_exploitability": "The vulnerability has a fixed CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated HTTP requests to the exposed AJAX endpoint present in all WordPress installations that host the plugin. No authentication or special privileges are required, making the attack path straightforward for any entity with network access to the site. The exploit facilitates the extraction of private calendar data from any sub\u2011site in a Multisite network, thereby compromising confidentiality and potentially enabling further reconnaissance or lateral movement."}}}}, "created": "2026-04-17T00:00:04.540375+00:00", "updated": "2026-04-17T02:30:07.314638+00:00", "vendors": ["joedolson", "joedolson$PRODUCT$my-calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}