CVE-2026-40308— My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40308
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
Source: NVD (National Vulnerability Database)
Vulnerability Description
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin My Calendar 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin My Calendar 3.7.6及之前版本存在安全漏洞,该漏洞源于mc_ajax_mcjs_action AJAX端点未经身份验证即可访问,且未经验证即传递用户提供的参数,可能导致未经身份验证的攻击者在多站点安装中
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| joedolson | my-calendar | < 3.7.7 | - |
II. Public POCs for CVE-2026-40308
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | My Calendar WordPress plugin <= 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parse_str() in mc_ajax_mcjs_action endpoint, letting unauthenticated attackers access or crash sites via switch_to_blog(), exploit requires WordPress Multisite or Single Site setup. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-40308.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40308
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: joedolson
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. Comments for CVE-2026-40308
No comments yet