Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable parameter (AV:N/PR:N/UI:N/AC:L); blind SQLi yields database read (C:H) but no direct write or availability loss (I:N/A:N).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The My Calendar - Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mc_auth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target WordPress site have the My Calendar - Accessible Event Manager plugin installed and active at any version up to and including 3.7.8, with the request-handling code path that consumes the 'mc_auth' parameter reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, base 7.5) signals a genuinely low bar: network-reachable, low complexity, no privileges, no user interaction, with high confidentiality impact and no integrity or availability impact - consistent with a read-only data-extraction SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet for WordPress sites running My Calendar ≤3.7.8 and, without any login, sends crafted requests supplying a time-based blind SQL payload in the 'mc_auth' parameter. By injecting conditional delay expressions and measuring response times, the attacker iteratively extracts administrator password hashes, session/auth secrets, and other sensitive rows from the WordPress database. … |
| Remediation | Upstream fix available (WordPress.org plugin changeset 3515996); a released patched version is not independently confirmed in the available data, but since all versions through 3.7.8 are affected the fix ships in the next release (expected 3.7.9 or later) - update My Calendar to the latest available version from the WordPress plugin repository and verify the running version is above 3.7.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all WordPress sites running My Calendar plugin ≤3.7.8; immediately disable or remove the plugin; if immediate removal is not possible, block access to the plugin directory via Web Application Firewall. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.
Authorization bypass in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.9) allows
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42218
GHSA-r6mh-qhp6-q734