Auth bypass in Joedolson My-calendar

CVE-2026-40308

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.023 (85.0th percentile) — read the EPSS interpretation.

Affected products

Joedolson My-calendar — versions < 3.7.7

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch (x_refsource_CONFIRM)
https://github.com/joedolson/my-calendar/releases/tag/v3.7.7 (x_refsource_MISC)