PT-2026-40850 · WordPress · My Calendar – Accessible Event Manager

CVE-2026-7525

·

Published

2026-05-14

·

Updated

2026-05-14

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions My Calendar – Accessible Event Manager versions prior to 3.8.0
Description The plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with custom-level access and above can bypass the moderation and approval workflow by manipulating the POST body. This allows them to publish events or assign unauthorized statuses, such as cancelled or private, which their assigned role should not permit. Although the user interface restricts low-privilege users to a draft-only submission button, this control is only enforced client-side and can be bypassed by directly modifying the POST request.
Recommendations Update to a version later than 3.7.9.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7525

Affected Products

My Calendar – Accessible Event Manager