PT-2026-40850 · WordPress · My Calendar – Accessible Event Manager
CVE-2026-7525
·
Published
2026-05-14
·
Updated
2026-05-14
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
My Calendar – Accessible Event Manager versions prior to 3.8.0
Description
The plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with custom-level access and above can bypass the moderation and approval workflow by manipulating the POST body. This allows them to publish events or assign unauthorized statuses, such as cancelled or private, which their assigned role should not permit. Although the user interface restricts low-privilege users to a draft-only submission button, this control is only enforced client-side and can be bypassed by directly modifying the POST request.
Recommendations
Update to a version later than 3.7.9.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
My Calendar – Accessible Event Manager