CVE-2026-40308
Received Received - Intake
Unauthenticated Parameter Injection in My Calendar Plugin Enables Data Exposure and DoS

Publication date: 2026-04-16

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-17
Generated
2026-05-07
AI Q&A
2026-04-17
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40308
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
my_calendar my_calendar to 3.7.7 (exc)
my_calendar my_calendar 3.7.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the My Calendar WordPress plugin versions 3.7.6 and below. It involves an AJAX endpoint called mc_ajax_mcjs_action that is accessible to unauthenticated users. This endpoint improperly processes user-supplied arguments using parse_str() without validating them, allowing attackers to inject arbitrary parameters, including a site value.

On WordPress Multisite installations, this flaw lets an unauthenticated attacker call the switch_to_blog() function with any site ID, enabling them to access calendar events from any sub-site on the network, including private or hidden events.

On Single Site installations, since switch_to_blog() does not exist, the attack causes an uncaught PHP fatal error that crashes the worker thread, resulting in a denial of service.

This vulnerability was fixed in version 3.7.7 of the plugin.


How can this vulnerability impact me? :

If you are using the vulnerable versions of the My Calendar plugin on a WordPress Multisite installation, an attacker can access calendar events from any sub-site, including private or hidden events, without authentication. This can lead to unauthorized disclosure of sensitive information.

If you are using a Single Site installation, the vulnerability can be exploited to cause a denial of service by crashing the worker thread, making the calendar functionality unavailable to users.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been fixed in version 3.7.7 of the My Calendar WordPress plugin.

To mitigate this vulnerability immediately, update the My Calendar plugin to version 3.7.7 or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart