CVE-2026-40308 Scanner
CVE-2026-40308 Scanner - Information Disclosure vulnerability in My Calendar WordPress Plugin
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
11 days 7 hours
Scan only one
URL
Toolbox
My Calendar is a versatile WordPress plugin used to manage and display events across a WordPress-powered website. It's primarily used by bloggers, businesses, and organizations for scheduling purposes. The plugin supports event management across single or multisite WordPress installations. It offers features like event sharing, multisite support, and event search for enhanced user interaction. The plugin's popularity stems from its ease of use and compatibility with numerous WordPress themes. Overall, it provides an effective solution for users looking to implement a calendar feature on their WordPress sites.
The vulnerability in question is an Information Disclosure flaw within the My Calendar WordPress Plugin. This vulnerability allows unauthenticated attackers to view private events if exploited on a WordPress multisite configuration. The flaw results from an insufficient validation process on user inputs, leading to data exposure. In single-site configurations, the vulnerability could lead to denial of service. Such vulnerabilities pose significant risks as they can breach data privacy and impact site functionality.
The vulnerability resides in the plugin's mc_ajax_mcjs_action endpoint. An unvalidated user input flaw allows an attacker to manipulate data using the parse_str() function. This exploitation is possible due to a weakness in handling inputs passed through HTTP GET requests. The flaw specifically targets input processing in WordPress Multisite or Single Site configurations. Attackers leverage this flaw to access information or disrupt services by switching to different blog contexts. Proper validation practices were inadequately applied, leading to this oversight.
If a malicious actor exploits this vulnerability, it can lead to unauthorized information disclosure or service disruption. In a WordPress Multisite setup, the attacker might gain access to confidential event details, risking privacy breaches. On a Single Site setup, the vulnerability could allow attacks leading to denial of service, potentially making the site unreachable. This kind of exposure could have reputational damages, as well as legal repercussions for neglecting user data protection. Furthermore, without immediate fixes, continuous exploitation remains a looming threat to site stability and security.
REFERENCES
