Insecure Direct Object Reference in My Calendar Plugin by WordPress
CVE-2026-11896
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-11896?
The My Calendar β Accessible Event Manager plugin for WordPress contains a vulnerability that allows unauthenticated users to exploit an insecure direct object reference through the 'vcal' parameter. This lack of user input validation enables attackers to enumerate occurrence IDs and gain unauthorized access to sensitive calendar information. These exploits potentially expose non-public, draft, trashed, and personal calendar events, revealing critical event details such as titles, descriptions, dates, and organizer information, which could compromise user privacy and security.
Affected Version(s)
My Calendar β Accessible Event Manager 0 <= 3.7.14
References
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Athiwat Tiprasaharn (Jitlada)
Tharadol Suksamran (d3kc4rt_1)