CVE-2026-1987
IDOR Vulnerability in WordPress Scheduler Widget Allows Event Modification
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scheduler_widget | scheduler_widget | to 0.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The vulnerability in the Scheduler Widget WordPress plugin (up to version 0.1.6) is an Insecure Direct Object Reference (IDOR). It occurs because the function responsible for saving events, `scheduler_widget_ajax_save_event()`, does not properly check if the user is authorized or owns the event they are trying to update.'}, {'type': 'paragraph', 'content': "This means that any authenticated user with Subscriber-level access or higher can modify any event in the scheduler by supplying the event's ID, even if they do not own that event."}, {'type': 'paragraph', 'content': 'In essence, the plugin trusts the event ID parameter without verifying ownership or permissions, allowing unauthorized modification of scheduler events.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with minimal privileges (Subscriber-level or above) to modify any event in the scheduler, regardless of ownership.
- Unauthorized modification of events could lead to data integrity issues, such as altering or deleting important scheduling information.
- Attackers could disrupt scheduling operations, causing confusion or operational delays.
- Because the vulnerability does not allow direct data disclosure but permits unauthorized changes, it impacts the integrity and availability of scheduler data.
Overall, the impact is a medium severity risk (CVSS 5.4) affecting the integrity and availability of event data within the plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is an Insecure Direct Object Reference (IDOR) in the Scheduler Widget WordPress plugin, allowing authenticated users with Subscriber-level access or higher to modify events by manipulating the event ID parameter.'}, {'type': 'paragraph', 'content': "To detect this vulnerability, you should test whether it is possible to update events by changing the `id` parameter in requests to the plugin's AJAX save event handler without proper authorization checks."}, {'type': 'paragraph', 'content': 'A practical approach is to use an authenticated user account with Subscriber-level access and attempt to modify events that the user does not own by sending crafted HTTP POST requests to the AJAX endpoint handling event updates.'}, {'type': 'paragraph', 'content': 'Example commands using curl (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'Obtain a valid authentication cookie or nonce for the WordPress site.'}, {'type': 'list_item', 'content': 'Send a POST request to the AJAX endpoint (usually `admin-ajax.php`) with parameters including `action=scheduler_widget_ajax_save_event`, the `id` of an event you do not own, and other required event fields (`label`, `start`, `end`, etc.).'}, {'type': 'list_item', 'content': 'Example curl command:'}, {'type': 'list_item', 'content': 'curl -X POST https://example.com/wp-admin/admin-ajax.php \\\n -H "Cookie: wordpress_logged_in=your_auth_cookie" \\\n -d "action=scheduler_widget_ajax_save_event&id=TARGET_EVENT_ID&label=Test&start=2026-01-01T10:00:00&end=2026-01-01T11:00:00&nonce=YOUR_NONCE"'}, {'type': 'paragraph', 'content': 'If the request succeeds in modifying an event that the authenticated user should not have access to, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for such AJAX requests and inspecting parameters for unauthorized event ID manipulation can help detect exploitation attempts.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the Scheduler Widget plugin's event modification functionality to only authorized users and ensuring proper authorization checks are in place."}, {'type': 'list_item', 'content': 'Update the Scheduler Widget plugin to a version that includes proper authorization and ownership verification in the `scheduler_widget_ajax_save_event()` function, if such an update is available.'}, {'type': 'list_item', 'content': 'If an update is not available, temporarily disable or deactivate the Scheduler Widget plugin to prevent exploitation.'}, {'type': 'list_item', 'content': 'Restrict user roles that can access or modify scheduler events, limiting it to trusted roles with higher privileges than Subscriber.'}, {'type': 'list_item', 'content': 'Implement additional access control measures such as web application firewall (WAF) rules to detect and block unauthorized attempts to modify event IDs.'}, {'type': 'paragraph', 'content': "Longer term, ensure that authorization checks verify both the user's capability and ownership of the event before allowing modifications."}] [1, 2]