6 matches found
CVE-2026-40308
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
Summary An unauthenticated Insecure Direct Object Reference IDOR and Denial of Service DoS vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events including private or hidden ones from any sub-site on a WordPress Multisite network. On standard Single Sit...
GHSA-2MVX-F5QM-V2CH Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
Summary An unauthenticated Insecure Direct Object Reference IDOR and Denial of Service DoS vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events including private or hidden ones from any sub-site on a WordPress Multisite network. On standard Single Sit...
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
CVE-2026-40308
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...