CVE-2026-1987

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Scheduler Widget versions prior to 0.1.7

Description The Scheduler Widget plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. The scheduler widget ajax save event() function does not adequately verify authorization or ownership when updating events. This allows authenticated attackers with Subscriber-level access or higher to modify any event in the scheduler by manipulating the id parameter, provided they know the event ID.

Recommendations Update the Scheduler Widget plugin to version 0.1.7 or later.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-1987

Affected Products

Scheduler Widget

CVE-2026-1987

Weakness Enumeration

Related Identifiers

Affected Products

References · 10