CVE-2026-40308

HIGH NUCLEI

My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog

Title source: cna

Description

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

Nuclei Templates (1)

My Calendar WordPress Plugin - Information Disclosure

HIGHVERIFIEDby theamanrawat

Shodan: http.html:"/wp-content/plugins/my-calendar/"

FOFA: body="/wp-content/plugins/my-calendar/" && title="WordPress"

References (2)

[X_Refsource_Confirm] https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch

[X_Refsource_Misc] https://github.com/joedolson/my-calendar/releases/tag/v3.7.7

Scores

CVSS v4 8.8

EPSS 0.0189

EPSS Percentile 83.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-639

Status published

Products (2)

joedolson/my-calendar 0 - 3.7.7Packagist

joedolson/my-calendar < 3.7.7

Published Apr 16, 2026

Tracked Since Apr 17, 2026