Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-11896— My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter

CVSS 5.3 · Medium EPSS 0.31% · P23

Possible ATT&CK Techniques 1AI

T1530 · Data from Cloud Storage

Affected Version Matrix 1

VendorProductVersion RangeStatus
joedolsonMy Calendar – Accessible Event Manager≤ 3.7.14affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-11896

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events, disclosing sensitive event metadata including titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Joe Dolson My Calendar 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
joedolson My Calendar – Accessible Event Manager是joedolson的事件管理器插件。 Joe Dolson My Calendar 3.7.14及之前版本存在授权问题漏洞,该漏洞源于通过'vcal'参数缺少对用户控制密钥的验证,存在不安全的直接对象引用,可能导致未经身份验证的攻击者枚举事件ID并访问非公开、草稿、已删除和个人日历事件的完整iCalendar导出,泄露敏感事件元数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
joedolsonMy Calendar – Accessible Event Manager 0 ~ 3.7.14 -

II. Public POCs for CVE-2026-11896

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-11896

登录查看更多情报信息。

Patches & Fixes for CVE-2026-11896 (6)

News Coverage for CVE-2026-11896 (1)

Vendor Pages for CVE-2026-11896 (1)

Other References for CVE-2026-11896 (2)

IV. Related Vulnerabilities

V. Comments for CVE-2026-11896

No comments yet


Leave a comment