Platform
php
Component
my-calendar
Fixed in
3.7.8
3.7.7
CVE-2026-40308 represents an Information Disclosure and Denial of Service vulnerability discovered in the My Calendar plugin for WordPress. This flaw allows unauthenticated users to potentially extract sensitive calendar event data, including private or hidden events, from any sub-site within a WordPress Multisite network. On standard WordPress installations, exploitation can lead to a Denial of Service by crashing the PHP worker thread. The vulnerability affects versions 3.7.6 through 3.7.6, and a patch is available in version 3.7.7.
CVE-2026-40308 in the My Calendar plugin poses a significant risk to WordPress websites, especially in Multisite environments. It allows unauthenticated attackers to access private or hidden calendar events on any subdomain within the Multisite network, compromising data confidentiality. On single-site WordPress installations, exploiting this vulnerability can trigger a PHP worker thread crash, resulting in a Denial of Service (DoS) that disrupts site availability.
An attacker can exploit this vulnerability by sending carefully crafted HTTP requests to the mc_ajax endpoint. By manipulating request parameters, the attacker can bypass access controls and retrieve calendar information that would normally be protected. On single-site installations, a malicious request can overload the PHP worker thread, causing a crash and a denial of service. The lack of authentication required to exploit the vulnerability makes it particularly dangerous.
Exploit Status
EPSS
2.23% (85% percentile)
CISA SSVC
The recommended solution is to immediately update the My Calendar plugin to version 3.7.7 or higher. This version includes a fix to address the IDOR and DoS vulnerabilities. Additionally, review and strengthen your website's security policies, including implementing robust authentication and limiting access to sensitive resources. Monitoring server logs for suspicious activity is also crucial for detecting and responding to potential attacks.
Actualice el plugin My Calendar a la versión 3.7.7 o superior para mitigar la vulnerabilidad de divulgación de información no autenticada. Esta actualización corrige la forma en que se manejan los argumentos de entrada, previniendo la extracción de eventos de calendario de otros sitios en una instalación de WordPress Multisite.
Vulnerability analysis and critical alerts directly to your inbox.
IDOR (Insecure Direct Object Reference) occurs when a web application allows a user to access internal objects using a predictable or manipulable identifier without proper authorization checks.
DoS stands for Denial of Service. It's an attack that attempts to make an online service unavailable to its legitimate users, typically by overwhelming the system with traffic or requests.
If immediate updating is not possible, consider implementing temporary mitigation measures, such as restricting access to the vulnerable endpoint through a web application firewall (WAF).
Check the version of the My Calendar plugin on your website. If you are using a version prior to 3.7.7, you are vulnerable.
There are WordPress vulnerability scanners that can detect this vulnerability. Consult your security provider's documentation for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.