Lucene search
K

120 matches found

NVD
NVD
added 6 hours ago6 views

CVE-2026-6854

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mcauth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

7.5CVSS
Exploits0References2
EUVD
EUVD
added 7 hours ago4 views

EUVD-2026-42218

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mcauth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

7.5CVSS6AI score
Exploits0References2
Cvelist
Cvelist
added 7 hours ago5 views

CVE-2026-6854 My Calendar <= 3.7.8 - Unauthenticated SQL Injection via 'mc_auth' and 'mc_host' Parameters

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mcauth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

7.5CVSS
Exploits0References2
CVE
CVE
added 7 hours ago7 views

CVE-2026-6854

The CVE covers the WordPress plugin My Calendar – Accessible Event Manager. It is vulnerable to time-based blind SQL Injection via the mc_auth parameter in all versions up to 3.7.8, caused by insufficient escaping of user input and inadequate preparation of the SQL query. This allows unauthentica...

7.5CVSS6AI score
Exploits0References2
Nuclei
Nuclei
added 13 hours ago39 views

WordPress My Calendar <= 3.1.9 - Cross-Site Scripting

WordPress plugin My Calendar = 3.1.10 or apply the vendor-provided patch to fix the XSS vulnerability. reference: - https://wpscan.com/vulnerability/9267 - https://wordpress.org/plugins/my-calendar/developers - https://nvd.nist.gov/vuln/detail/CVE-2019-15713 -...

6.1CVSS6.3AI score0.02542EPSS
Exploits1References5
Nuclei
Nuclei
added 13 hours ago137 views

My Calendar WordPress Plugin - Information Disclosure

My Calendar WordPress plugin = 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parsestr in mcajaxmcjsaction endpoint, letting unauthenticated attackers access or crash sites via switchtoblog, exploit requires WordPress Multisite or Single Site setup. id:...

8.8CVSS5.9AI score0.00932EPSS
Exploits0References2
Nuclei
Nuclei
added 5 days ago119 views

WordPress My Calendar <3.4.22 - SQL Injection

WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route. id: CVE-2023-6360 info: name: WordPress My Calendar 3.4.22 - SQL Injection author: xxcdd severity: critical...

9.8CVSS7.2AI score0.63141EPSS
Exploits1References5
CVE
CVE
added 6 days ago16 views

CVE-2026-11896

The CVE-2026-11896 entry describes a flaw in the WordPress plugin “My Calendar – Accessible Event Manager” (versions up to 3.7.14). The root cause is missing validation on a user-controlled key used by the vcal parameter, enabling Insecure Direct Object Reference. This allows unauthenticated atta...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References14
Patchstack
Patchstack
added last week6 views

WordPress My Calendar – Accessible Event Manager plugin <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure vulnerability discovered by ? in WordPress Plugin My Calendar versions = 3.7.14...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:39 p.m.9 views

CVE-2026-7525

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.5AI score0.00341EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 3:27 a.m.8 views

CVE-2026-7525 My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References12
EUVD
EUVD
added 2026/05/14 3:27 a.m.8 views

EUVD-2026-30217

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References12
CVE
CVE
added 2026/05/14 3:27 a.m.24 views

CVE-2026-7525

The CVE pertains to WordPress plugin My Calendar – Accessible Event Manager (versions ≤ 3.7.9). It describes an authorization bypass: authenticated users with custom-level access can tamper with the POST body (e.g., event_approved) to publish events or set statuses (cancelled, private) beyond the...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.12 views

PT-2026-40850

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References13
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.12 views

WordPress plugin My Calendar – Accessible Event Manager 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/05/13 12:0 a.m.19 views

WordPress My Calendar – Accessible Event Manager plugin <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication vulnerability

Authenticated Custom+ Missing Authorization to Unauthorized Event Publication vulnerability discovered by type5afe in WordPress Plugin My Calendar versions = 3.7.9...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/16 9:34 p.m.6 views

GHSA-2MVX-F5QM-V2CH Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar

Summary An unauthenticated Insecure Direct Object Reference IDOR and Denial of Service DoS vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events including private or hidden ones from any sub-site on a WordPress Multisite network. On standard Single Sit...

8.8CVSS5.8AI score0.00932EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:34 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the mcajaxmcjsaction function. An attacker can access sensitive event data from other sub-sites or cause a denial of service by sending crafted requests to the unauthenticated endpoin...

8.8CVSS5.9AI score0.00932EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/16 9:30 p.m.5 views

CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...

8.8CVSS5.8AI score0.00932EPSS
Exploits0References2
CVE
CVE
added 2026/04/16 9:30 p.m.22 views

CVE-2026-40308

CVE-2026-40308 - My Calendar (WordPress) plugin : Affected versions are 3.7.6 and earlier. The mc_ajax_mcjs_action AJAX endpoint, exposed to unauthenticated users, passes user-supplied arguments through parse_str() without validation, enabling injection of arbitrary parameters including a site va...

8.8CVSS5.8AI score0.00932EPSS
Exploits0References2
Rows per page
Query Builder