Unauthenticated Parameter Injection in My Calendar Plugin for WordPress
CVE-2026-40308

8.8HIGH

Key Information:

Vendor: WordPress
Status: My-calendar
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40308?

The My Calendar plugin, utilized for managing calendar events on WordPress, contains a vulnerability due to the mc_ajax_mcjs_action AJAX endpoint being accessible to unauthenticated users. This endpoint improperly handles user-supplied arguments using parse_str() without adequate validation. As a result, an attacker can inject arbitrary parameters, including a site value. On WordPress Multisite installations, this flaw permits the perpetrator to invoke switch_to_blog() with any site ID, granting access to events from any sub-site, including those that are private or hidden. Conversely, in standard Single Site setups, the absence of the switch_to_blog() function leads to an uncaught PHP fatal error, effectively crashing the worker thread and presenting an unauthenticated denial of service vulnerability. This issue has been addressed in version 3.7.7 of the plugin.

Affected Version(s)

my-calendar < 3.7.7

References

https://github.com/joedolson/my-calendar/security/advisor...

x_refsource_CONFIRM

https://github.com/joedolson/my-calendar/releases/tag/v3.7.7

x_refsource_MISC

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40308 Data

JSON