CVE-2026-40308

Name of the Vulnerable Software and Affected Versions My Calendar versions prior to 3.7.7

Description An unauthenticated issue exists in the 'mc ajax mcjs action' AJAX endpoint, which is registered for unauthenticated users. The endpoint passes user-supplied arguments through the parse str() function without proper validation, allowing the injection of arbitrary parameters, including a site value. This is processed by the my calendar upcoming events() function.

On WordPress Multisite installations, this allows an unauthenticated attacker to use the switch to blog() function with an arbitrary site ID to extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, the switch to blog() function does not exist, which triggers an uncaught PHP fatal error and crashes the worker thread, resulting in a denial of service.

Recommendations Update to version 3.7.7.