CVE-2026-7525: Authorization Bypass in My Calendar Plugin
Plattform
wordpress
Komponente
my-calendar
Behoben in
3.7.10
CVE-2026-7525 describes an authorization bypass vulnerability affecting the My Calendar – Accessible Event Manager plugin for WordPress. An authenticated attacker with custom-level access or higher can exploit this flaw to bypass the moderation and approval workflow, allowing them to publish events or modify their status (e.g., cancelled, private) without proper authorization. This vulnerability impacts versions of the plugin up to and including 3.7.9, with a fix available in version 3.7.10.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The primary impact of CVE-2026-7525 is the potential for unauthorized event management. An attacker who has gained access to a WordPress site with a custom-level user account or higher can leverage this vulnerability to publish malicious events, schedule inappropriate content, or manipulate event statuses to disrupt operations or mislead users. This could lead to reputational damage, data manipulation, or even denial of service if the attacker floods the site with unwanted events. The ability to change event statuses also presents a risk of unauthorized cancellations or modifications, potentially impacting event attendees or stakeholders.
Ausnutzungskontext
CVE-2026-7525 was published on 2026-05-13. Its CVSS score of 4.3 indicates a medium severity. There are currently no publicly known Proof-of-Concept (POC) exploits for this vulnerability. It is not listed on KEV or EPSS, suggesting a low probability of active exploitation at this time. Monitor WordPress security advisories and plugin update channels for any further developments.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Niedrig — jedes gültige Benutzerkonto ist ausreichend.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Keine — kein Vertraulichkeitseinfluss.
- Integrity
- Niedrig — Angreifer kann einige Daten mit begrenztem Umfang ändern.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
Mitigation und Workarounds
The primary mitigation for CVE-2026-7525 is to immediately upgrade the My Calendar plugin to version 3.7.10 or later. If upgrading is not immediately feasible due to compatibility issues or site downtime concerns, consider implementing stricter role-based access controls within WordPress to limit the privileges of custom-level users. Review user permissions and ensure that only authorized personnel have the ability to publish or modify events. While a direct WAF rule is unlikely, a WAF could be configured to monitor for suspicious POST requests targeting event creation or modification endpoints, looking for unexpected parameter values or unauthorized status changes. After upgrading, verify the fix by attempting to create or modify an event with a custom-level user account and confirming that the moderation workflow is enforced.
So beheben
Aktualisieren Sie auf Version 3.7.10 oder eine neuere gepatchte Version
Häufig gestellte Fragen
What is CVE-2026-7525 — Authorization Bypass in My Calendar plugin?
CVE-2026-7525 is a medium severity authorization bypass vulnerability in the My Calendar plugin for WordPress, affecting versions up to 3.7.9. It allows authenticated attackers with custom-level access to bypass moderation and publish events without proper authorization.
Am I affected by CVE-2026-7525 in My Calendar plugin?
You are affected if you are using the My Calendar plugin in WordPress versions 3.7.9 or earlier. Check your plugin version using wp plugin list and upgrade if necessary.
How do I fix CVE-2026-7525 in My Calendar plugin?
Upgrade the My Calendar plugin to version 3.7.10 or later. If immediate upgrade is not possible, implement stricter role-based access controls within WordPress.
Is CVE-2026-7525 being actively exploited?
Currently, there are no publicly known Proof-of-Concept exploits or reports of active exploitation for CVE-2026-7525. However, continuous monitoring is recommended.
Where can I find the official My Calendar advisory for CVE-2026-7525?
Refer to the official My Calendar plugin website and WordPress security announcements for the latest advisory and updates regarding CVE-2026-7525.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Scannen Sie jetzt Ihr WordPress-Projekt – kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...