ByteOS Network

CVE Vulnerability Details :

CVE-2026-7525

PUBLISHED

More Info Official Page

Assigner-Wordfence

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-14 May, 2026 | 03:27

Updated At-14 May, 2026 | 10:47

▼CVE Numbering Authority (CNA)

My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.

Affected Products

Vendor

joedolson

Product

My Calendar – Accessible Event Manager

Default Status

unaffected

Versions

Affected

From 0 through 3.7.9 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-862	CWE-862 Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: CWE-862 Missing Authorization

Metrics

Version	Base score	Base severity	Vector
3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Credits

finder

M Indra Purnama

Timeline

Event	Date
Vendor Notified	2026-04-30 17:35:11
Disclosed	2026-05-13 00:00:00

Event: Vendor Notified

Date: 2026-04-30 17:35:11

Event: Disclosed

Date: 2026-05-13 00:00:00

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e27c0b0-c74f-47ad-b9ed-9fd6bd05d040?source=cve	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L2384	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L2384	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L406	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L406	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L601	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L601	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L2384	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L406	N/A
https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L601	N/A
https://github.com/joedolson/my-calendar/commit/98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4	N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3527861%40my-calendar&new=3527861%40my-calendar&sfp_email=&sfph_mail=	N/A