5.3
CVE-2026-11896
- EPSS 0.31%
- Veröffentlicht 02.07.2026 08:33:06
- Zuletzt bearbeitet 02.07.2026 20:17:00
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events, disclosing sensitive event metadata including titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerjoedolson
≫
Produkt
My Calendar – Accessible Event Manager
Default Statusunaffected
Version <=
3.7.14
Version
0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.231 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://www.wordfence.com/threat-intel/vulnerabilities/id/a72639df-fa05-414c-b30c-eb285f59d945?source=cve
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar-api.php#L212
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar.php#L209
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar-api.php#L246
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar-events.php#L748
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/includes/ical.php#L26
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/includes/date-utilities.php#L417
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-api.php#L212
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar.php#L209
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-api.php#L246
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-events.php#L748
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/includes/ical.php#L26
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/includes/date-utilities.php#L417
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572191%40my-calendar&new=3572191%40my-calendar&sfp_email=&sfph_mail=