Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The My Calendar - Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
AnalysisAI
Authorization bypass in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.9) allows authenticated attackers with custom-level access or higher to circumvent the moderation and approval workflow by directly manipulating the POST body. The plugin's server-side PHP code in my-calendar-event-editor.php accepted the client-supplied event_approved parameter and used it to override the server-calculated event status, despite UI-level restrictions ostensibly limiting low-privilege users to draft-only submissions. Exploitation enables unauthorized event publishing, cancellation, or marking events private - integrity impacts limited to the event management workflow. No public exploit identified at time of analysis; EPSS (0.02%, 4th percentile) and SSVC (exploitation: none) both indicate negligible current exploitation interest.
Technical ContextAI
The vulnerability resides in two functions within src/my-calendar-event-editor.php: mc_check_data() (lines ~2380-2384 in 3.7.9) and my_calendar_save() (lines ~792-796). Both functions contained legacy compatibility blocks - originally intended for older versions of My Calendar Pro - that conditionally reassigned the event approval status variable directly from $post['event_approved'] without any server-side authorization check against the submitting user's role. CWE-862 (Missing Authorization) applies precisely: the privilege enforcement existed only in the client-side UI (a submit button restricted to 'draft' mode for low-privilege users), with no corresponding server-side gate validating whether the user's role permitted the requested event_approved value. The CPE cpe:2.3:a:joedolson:my_calendar_-_accessible_event_manager is the affected product across all versions through 3.7.9. The fix, visible in commit 98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4, removes both legacy blocks entirely, eliminating the untrusted POST parameter from influencing event status.
RemediationAI
Update the My Calendar - Accessible Event Manager plugin beyond version 3.7.9. The upstream fix is confirmed in GitHub commit 98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4 and the corresponding WordPress SVN changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3527861%40my-calendar&new=3527861%40my-calendar), which removes the vulnerable event_approved POST parameter handling from both mc_check_data() and my_calendar_save(). A specific released plugin version number beyond 3.7.9 is not independently confirmed from available data - verify the patched version via the WordPress plugin directory before deploying. As a compensating control where immediate upgrade is not possible, restrict WordPress site registration so that untrusted users cannot obtain even custom-level contributor accounts, reducing the authenticated attacker pool. If the moderation workflow is not actively used, the practical impact is already negligible.
Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30217
GHSA-r5x2-7wrx-jqfg