EXECUTIVE SUMMARY:
CVE-2026-40308 with a CVSS score of 8.8 is a critical vulnerability in the My Calendar plugin for WordPress, allowing any unauthenticated user to extract calendar events from any sub-site on a WordPress Multisite network, including private or hidden ones, through an Insecure Direct Object Reference (IDOR) in the mc_ajax_mcjs_action AJAX function. This function, which handles the mcjs_action endpoint, is explicitly registered for unauthenticated users and accepts an args parameter from the $_REQUEST array without proper validation. An attacker can inject arbitrary key-value pairs into the $args array, which is then passed to function. This allows an attacker to pass a malicious site ID to WordPress core's switch_to_blog() function, leading to Information Disclosure across tenant boundaries on Multisite configurations or a Denial of Service on Single Site configurations. An attacker can exploit this vulnerability by sending a malicious curl request to the mcjs_action endpoint, and the impact is that unauthorized access to sensitive information is possible, leading to business consequences such as data breaches and loss of customer trust. The exploitation requires no prerequisites or conditions, and the attack vector is network-based, making it a serious threat to affected sites.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40308 with a CVSS score of 8.8 is a critical vulnerability in the My Calendar plugin for WordPress, allowing any unauthenticated user to extract calendar events from any sub-site on a WordPress Multisite network, including private or hidden ones, through an Insecure Direct Object Reference (IDOR) in the mc_ajax_mcjs_action AJAX function. This function, which handles the mcjs_action endpoint, is explicitly registered for unauthenticated users and accepts an args parameter from the $_REQUEST array without proper validation. An attacker can inject arbitrary key-value pairs into the $args array, which is then passed to function. This allows an attacker to pass a malicious site ID to WordPress core's switch_to_blog() function, leading to Information Disclosure across tenant boundaries on Multisite configurations or a Denial of Service on Single Site configurations. An attacker can exploit this vulnerability by sending a malicious curl request to the mcjs_action endpoint, and the impact is that unauthorized access to sensitive information is possible, leading to business consequences such as data breaches and loss of customer trust. The exploitation requires no prerequisites or conditions, and the attack vector is network-based, making it a serious threat to affected sites.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update My Calendar to version 3.7.7.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-2mvx-f5qm-v2ch