Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible endpoint requires no authentication or interaction; impact limited to low confidentiality (metadata only), with no integrity or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The My Calendar - Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events, disclosing sensitive event metadata including titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.
AnalysisAI
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The My Calendar - Accessible Event Manager plugin must be installed and active on the WordPress site, running version 3.7.14 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N scores 5.3 (Medium), accurately reflecting network-reachable, zero-authentication exploitation with limited confidentiality impact (event metadata, not credentials or filesystem content). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends sequential HTTP GET requests to the target WordPress site appending incrementing integer values to the 'vcal' parameter (e.g., /?vcal=1, /?vcal=2, …) and receives valid iCalendar (.ics) formatted responses containing full event details for non-public events. This automated enumeration requires no credentials, no prior reconnaissance beyond confirming the plugin is installed, and can be scripted in minutes to harvest all private event metadata from a target site. |
| Remediation | Upstream fix available (commit/changeset 3572191 on the WordPress plugin Trac repository at https://plugins.trac.wordpress.org/changeset?old=3572191%40my-calendar&new=3572191%40my-calendar); a released patched version number is not independently confirmed from available data, so administrators should update to the latest available version beyond 3.7.14 via the WordPress dashboard or WP-CLI as soon as a new release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through
Authorization bypass in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.9) allows
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41266
GHSA-rfww-46mr-4mrf