🔐 CVE Alert

CVE-2026-7525

MEDIUM 4.3

My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.

CWE CWE-862
Vendor joedolson
Product my calendar – accessible event manager
Published May 14, 2026
Stay Ahead of the Next One

Get instant alerts for joedolson my calendar – accessible event manager

Be the first to know when new medium vulnerabilities affecting joedolson my calendar – accessible event manager are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

joedolson / My Calendar – Accessible Event Manager
0 ≤ 3.7.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/3e27c0b0-c74f-47ad-b9ed-9fd6bd05d040?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L2384 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L2384 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L406 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L406 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L601 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L601 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L2384 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L406 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L601 github.com: https://github.com/joedolson/my-calendar/commit/98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3527861%40my-calendar&new=3527861%40my-calendar&sfp_email=&sfph_mail=

Credits

M Indra Purnama