Skip to main content

My Calendar EUVDEUVD-2026-42218

| CVE-2026-6854 HIGH
SQL Injection (CWE-89)
2026-07-08 Wordfence GHSA-r6mh-qhp6-q734
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable parameter (AV:N/PR:N/UI:N/AC:L); blind SQLi yields database read (C:H) but no direct write or availability loss (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 12:36 vuln.today
CVE Published
Jul 08, 2026 - 11:30 nvd
HIGH 7.5

DescriptionCVE.org

The My Calendar - Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mc_auth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan for sites running My Calendar ≤3.7.8
Delivery
Send request with payload in mc_auth parameter
Exploit
Injected SQL alters existing query
Execution
Conditional time delays reveal data bit-by-bit
Impact
Extract password hashes and secrets from database

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site have the My Calendar - Accessible Event Manager plugin installed and active at any version up to and including 3.7.8, with the request-handling code path that consumes the 'mc_auth' parameter reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, base 7.5) signals a genuinely low bar: network-reachable, low complexity, no privileges, no user interaction, with high confidentiality impact and no integrity or availability impact - consistent with a read-only data-extraction SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for WordPress sites running My Calendar ≤3.7.8 and, without any login, sends crafted requests supplying a time-based blind SQL payload in the 'mc_auth' parameter. By injecting conditional delay expressions and measuring response times, the attacker iteratively extracts administrator password hashes, session/auth secrets, and other sensitive rows from the WordPress database. …
Remediation Upstream fix available (WordPress.org plugin changeset 3515996); a released patched version is not independently confirmed in the available data, but since all versions through 3.7.8 are affected the fix ships in the next release (expected 3.7.9 or later) - update My Calendar to the latest available version from the WordPress plugin repository and verify the running version is above 3.7.8. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all WordPress sites running My Calendar plugin ≤3.7.8; immediately disable or remove the plugin; if immediate removal is not possible, block access to the plugin directory via Web Application Firewall. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy