Skip to main content

My Calendar EUVDEUVD-2026-41266

| CVE-2026-11896 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-02 Wordfence GHSA-rfww-46mr-4mrf
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible endpoint requires no authentication or interaction; impact limited to low confidentiality (metadata only), with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:18 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The My Calendar - Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events, disclosing sensitive event metadata including titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.

AnalysisAI

Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with My Calendar plugin
Delivery
Send GET request with 'vcal' parameter set to integer occurrence IDs
Exploit
Bypass authorization check in iCal export handler
Execution
Retrieve full iCalendar export of non-public event
Impact
Extract sensitive metadata (titles, descriptions, locations, organizer details)

Vulnerability AssessmentAI

Exploitation The My Calendar - Accessible Event Manager plugin must be installed and active on the WordPress site, running version 3.7.14 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N scores 5.3 (Medium), accurately reflecting network-reachable, zero-authentication exploitation with limited confidentiality impact (event metadata, not credentials or filesystem content). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends sequential HTTP GET requests to the target WordPress site appending incrementing integer values to the 'vcal' parameter (e.g., /?vcal=1, /?vcal=2, …) and receives valid iCalendar (.ics) formatted responses containing full event details for non-public events. This automated enumeration requires no credentials, no prior reconnaissance beyond confirming the plugin is installed, and can be scripted in minutes to harvest all private event metadata from a target site.
Remediation Upstream fix available (commit/changeset 3572191 on the WordPress plugin Trac repository at https://plugins.trac.wordpress.org/changeset?old=3572191%40my-calendar&new=3572191%40my-calendar); a released patched version number is not independently confirmed from available data, so administrators should update to the latest available version beyond 3.7.14 via the WordPress dashboard or WP-CLI as soon as a new release is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy