Search

Find a vulnerability

Search criteria

    20 vulnerabilities by joedolson

    CVE-2026-7525 (GCVE-0-2026-7525)

    Vulnerability from nvd – Published: 2026-05-14 03:27 – Updated: 2026-05-14 10:47
    VLAI
    Title
    My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter
    Summary
    The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7525",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T10:40:09.974869Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T10:47:55.384Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Calendar \u2013 Accessible Event Manager",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T03:27:14.071Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e27c0b0-c74f-47ad-b9ed-9fd6bd05d040?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L2384"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L2384"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L406"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L406"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L601"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L601"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L2384"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L406"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L601"
            },
            {
              "url": "https://github.com/joedolson/my-calendar/commit/98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3527861%40my-calendar\u0026new=3527861%40my-calendar\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T17:35:11.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-13T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "My Calendar \u003c= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via \u0027event_approved\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7525",
        "datePublished": "2026-05-14T03:27:14.071Z",
        "dateReserved": "2026-04-30T17:19:49.647Z",
        "dateUpdated": "2026-05-14T10:47:55.384Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40308 (GCVE-0-2026-40308)

    Vulnerability from nvd – Published: 2026-04-16 21:30 – Updated: 2026-04-17 12:32
    VLAI
    Title
    My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
    Summary
    My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    joedolson my-calendar Affected: < 3.7.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40308",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T12:32:21.737938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T12:32:26.622Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "my-calendar",
              "vendor": "joedolson",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.7.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T21:30:52.401Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
            },
            {
              "name": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7"
            }
          ],
          "source": {
            "advisory": "GHSA-2mvx-f5qm-v2ch",
            "discovery": "UNKNOWN"
          },
          "title": "My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40308",
        "datePublished": "2026-04-16T21:30:52.401Z",
        "dateReserved": "2026-04-10T21:41:54.504Z",
        "dateUpdated": "2026-04-17T12:32:26.622Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2355 (GCVE-0-2026-2355)

    Vulnerability from nvd – Published: 2026-03-04 11:22 – Updated: 2026-04-08 16:33
    VLAI
    Title
    My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
    Summary
    The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Muhammad Yudha - DJ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-04T15:01:10.759696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-04T15:01:18.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Calendar \u2013 Accessible Event Manager",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Yudha - DJ"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\\x3c` to `\u003c`) at render time, bypassing WordPress\u0027s `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:33:01.860Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03d5c82e-f82f-4156-bb3e-e6eb365a6c36?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-shortcodes.php#L112"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-templates.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-templates.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-shortcodes.php#L112"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464603%40my-calendar%2Ftrunk\u0026old=3454989%40my-calendar%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-11T19:25:20.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-03T22:33:52.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "My Calendar \u2013 Accessible Event Manager \u003c= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2355",
        "datePublished": "2026-03-04T11:22:29.620Z",
        "dateReserved": "2026-02-11T16:51:07.908Z",
        "dateUpdated": "2026-04-08T16:33:01.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2362 (GCVE-0-2026-2362)

    Vulnerability from nvd – Published: 2026-02-27 08:24 – Updated: 2026-04-08 17:15
    VLAI
    Title
    WP Accessibility <= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via 'alt' Attribute
    Summary
    The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description."
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    joedolson WP Accessibility Affected: 0 , ≤ 2.3.1 (semver)
    Create a notification for this product.
    Credits
    Quốc Huy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T16:38:20.481048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-06T18:45:14.718Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WP Accessibility",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qu\u1ed1c Huy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the \u0027alt\u0027 attribute of images processed by the \"Long Description UI\" feature in all versions up to, and including, 2.3.1. This is due to the plugin\u0027s JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the \"Long Description UI\" setting to be enabled and set to \"Link to description.\""
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:56.637Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b08284ad-717f-4bdb-8eaa-f44e9447ff25?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/trunk/js/wp-accessibility.js#L713"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/trunk/js/wp-accessibility.js#L807"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/tags/2.3.1/js/wp-accessibility.js#L713"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/tags/2.3.1/js/wp-accessibility.js#L807"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464593%40wp-accessibility%2Ftrunk\u0026old=3446333%40wp-accessibility%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-11T19:25:20.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-26T19:26:02.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WP Accessibility \u003c= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via \u0027alt\u0027 Attribute"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2362",
        "datePublished": "2026-02-27T08:24:19.792Z",
        "dateReserved": "2026-02-11T18:02:23.893Z",
        "dateUpdated": "2026-04-08T17:15:56.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3752 (GCVE-0-2025-3752)

    Vulnerability from nvd – Published: 2025-04-25 04:23 – Updated: 2026-04-08 17:04
    VLAI
    Title
    Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter
    Summary
    The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-46475 may be a duplicate of this.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Peter Thaleikis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-25T19:24:23.723864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-25T19:24:58.156Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Able Player, accessible HTML5 media player",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018preload\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-46475 may be a duplicate of this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:04:39.477Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85c123ee-8de0-4800-b96b-68bb4d763560?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ableplayer/trunk/ableplayer.php#L375"
            },
            {
              "url": "https://wordpress.org/plugins/ableplayer/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3281106%40ableplayer\u0026new=3281106%40ableplayer"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Able Player, accessible HTML5 media player \u003c= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3752",
        "datePublished": "2025-04-25T04:23:05.578Z",
        "dateReserved": "2025-04-16T21:29:18.314Z",
        "dateUpdated": "2026-04-08T17:04:39.477Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3761 (GCVE-0-2025-3761)

    Vulnerability from nvd – Published: 2025-04-24 06:57 – Updated: 2026-04-08 16:59
    VLAI
    Title
    My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation
    Summary
    The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    ngocanh le
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3761",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-24T12:53:32.270957Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-24T13:06:47.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Tickets \u2013 Accessible Event Ticketing",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ngocanh le"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Tickets \u2013 Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:59:28.189Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d875c23-3d8a-4f82-bea3-1c46b5045d94?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3280248/my-tickets/trunk/my-tickets.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-23T18:25:36.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "My Tickets \u2013 Accessible Event Ticketing \u003c= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3761",
        "datePublished": "2025-04-24T06:57:06.438Z",
        "dateReserved": "2025-04-17T12:33:35.406Z",
        "dateUpdated": "2026-04-08T16:59:28.189Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1274 (GCVE-0-2024-1274)

    Vulnerability from nvd – Published: 2024-04-02 05:15 – Updated: 2024-08-27 15:28
    VLAI
    Title
    My Calendar < 3.4.24 - Authenticated Stored XSS
    Summary
    The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/91dba45b-9930-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown My Calendar Affected: 0 , < 3.4.24 (semver)
    Create a notification for this product.
    joedolson my_calendar Affected: 0 , < 3.4.24 (semver)
        cpe:2.3:a:joedolson:my_calendar:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.374Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/91dba45b-9930-4bfb-a7bf-903c46864e9f/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:joedolson:my_calendar:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "my_calendar",
                "vendor": "joedolson",
                "versions": [
                  {
                    "lessThan": "3.4.24",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1274",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-02T18:32:31.343788Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T15:28:12.101Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Calendar",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.4.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-02T05:15:41.805Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/91dba45b-9930-4bfb-a7bf-903c46864e9f/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "My Calendar \u003c 3.4.24 - Authenticated Stored XSS",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-1274",
        "datePublished": "2024-04-02T05:15:41.805Z",
        "dateReserved": "2024-02-06T13:32:32.160Z",
        "dateUpdated": "2024-08-27T15:28:12.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6360 (GCVE-0-2023-6360)

    Vulnerability from nvd – Published: 2023-11-30 15:17 – Updated: 2024-10-10 20:19
    VLAI
    Summary
    The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 3.4.22 (custom)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.763Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2023-40"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6360",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-08T20:09:15.814409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T20:19:02.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "my-calendar",
              "versions": [
                {
                  "lessThan": "3.4.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe \u0027My Calendar\u0027 WordPress Plugin, version \u0026lt; 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the \u0027from\u0027 and \u0027to\u0027 parameters in the \u0027/my-calendar/v1/events\u0027 rest route.\u003c/span\u003e"
                }
              ],
              "value": "The \u0027My Calendar\u0027 WordPress Plugin, version \u003c 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the \u0027from\u0027 and \u0027to\u0027 parameters in the \u0027/my-calendar/v1/events\u0027 rest route."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-30T15:17:14.959Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2023-40"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2023-6360",
        "datePublished": "2023-11-30T15:17:14.959Z",
        "dateReserved": "2023-11-28T10:28:13.482Z",
        "dateUpdated": "2024-10-10T20:19:02.663Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-34377 (GCVE-0-2023-34377)

    Vulnerability from nvd – Published: 2023-08-05 22:51 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress My Content Management Plugin <= 1.7.6 is vulnerable to Cross Site Scripting (XSS)
    Summary
    Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin <= 1.7.6 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Joseph C Dolson My Content Management Affected: n/a , ≤ 1.7.6 (custom)
    Create a notification for this product.
    Credits
    emad (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T16:10:07.008Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/my-content-management/wordpress-my-content-management-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-34377",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T16:25:01.553637Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T16:52:35.098Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "my-content-management",
              "product": "My Content Management",
              "vendor": "Joseph C Dolson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.7.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.7.6",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "emad (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.7.6 versions.\u003c/span\u003e"
                }
              ],
              "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin \u003c=\u00a01.7.6 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:29.040Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/my-content-management/wordpress-my-content-management-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a01.7.7 or a higher version."
                }
              ],
              "value": "Update to\u00a01.7.7 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress My Content Management Plugin \u003c= 1.7.6 is vulnerable to Cross Site Scripting (XSS)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-34377",
        "datePublished": "2023-08-05T22:51:09.632Z",
        "dateReserved": "2023-06-02T15:45:18.620Z",
        "dateUpdated": "2026-04-28T16:08:29.040Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2012-6527 (GCVE-0-2012-6527)

    Vulnerability from nvd – Published: 2013-01-31 02:00 – Updated: 2024-08-06 21:28
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2012-01-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T21:28:39.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://wordpress.org/extend/plugins/my-calendar/changelog/"
              },
              {
                "name": "mycalendar-unspecified-xss(72454)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72454"
              },
              {
                "name": "51539",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/51539"
              },
              {
                "name": "47579",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/47579"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2012-01-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-28T12:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://wordpress.org/extend/plugins/my-calendar/changelog/"
            },
            {
              "name": "mycalendar-unspecified-xss(72454)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72454"
            },
            {
              "name": "51539",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/51539"
            },
            {
              "name": "47579",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/47579"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2012-6527",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://wordpress.org/extend/plugins/my-calendar/changelog/",
                  "refsource": "CONFIRM",
                  "url": "http://wordpress.org/extend/plugins/my-calendar/changelog/"
                },
                {
                  "name": "mycalendar-unspecified-xss(72454)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72454"
                },
                {
                  "name": "51539",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/51539"
                },
                {
                  "name": "47579",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/47579"
                },
                {
                  "name": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar",
                  "refsource": "CONFIRM",
                  "url": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2012-6527",
        "datePublished": "2013-01-31T02:00:00.000Z",
        "dateReserved": "2013-01-30T00:00:00.000Z",
        "dateUpdated": "2024-08-06T21:28:39.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-7525 (GCVE-0-2026-7525)

    Vulnerability from cvelistv5 – Published: 2026-05-14 03:27 – Updated: 2026-05-14 10:47
    VLAI
    Title
    My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter
    Summary
    The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7525",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T10:40:09.974869Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T10:47:55.384Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Calendar \u2013 Accessible Event Manager",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T03:27:14.071Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e27c0b0-c74f-47ad-b9ed-9fd6bd05d040?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L2384"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L2384"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L406"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L406"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-event-editor.php#L601"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.9/my-calendar-event-editor.php#L601"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L2384"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L406"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.4/my-calendar-event-editor.php#L601"
            },
            {
              "url": "https://github.com/joedolson/my-calendar/commit/98aef8fbfc6ca4cfe50aaa36761d5f1eb629dfe4"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3527861%40my-calendar\u0026new=3527861%40my-calendar\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T17:35:11.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-13T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "My Calendar \u003c= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via \u0027event_approved\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7525",
        "datePublished": "2026-05-14T03:27:14.071Z",
        "dateReserved": "2026-04-30T17:19:49.647Z",
        "dateUpdated": "2026-05-14T10:47:55.384Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40308 (GCVE-0-2026-40308)

    Vulnerability from cvelistv5 – Published: 2026-04-16 21:30 – Updated: 2026-04-17 12:32
    VLAI
    Title
    My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
    Summary
    My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    joedolson my-calendar Affected: < 3.7.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40308",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T12:32:21.737938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T12:32:26.622Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "my-calendar",
              "vendor": "joedolson",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.7.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T21:30:52.401Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
            },
            {
              "name": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7"
            }
          ],
          "source": {
            "advisory": "GHSA-2mvx-f5qm-v2ch",
            "discovery": "UNKNOWN"
          },
          "title": "My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40308",
        "datePublished": "2026-04-16T21:30:52.401Z",
        "dateReserved": "2026-04-10T21:41:54.504Z",
        "dateUpdated": "2026-04-17T12:32:26.622Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2355 (GCVE-0-2026-2355)

    Vulnerability from cvelistv5 – Published: 2026-03-04 11:22 – Updated: 2026-04-08 16:33
    VLAI
    Title
    My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
    Summary
    The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Muhammad Yudha - DJ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-04T15:01:10.759696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-04T15:01:18.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Calendar \u2013 Accessible Event Manager",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Yudha - DJ"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\\x3c` to `\u003c`) at render time, bypassing WordPress\u0027s `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:33:01.860Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03d5c82e-f82f-4156-bb3e-e6eb365a6c36?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-shortcodes.php#L112"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-templates.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-templates.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-shortcodes.php#L112"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464603%40my-calendar%2Ftrunk\u0026old=3454989%40my-calendar%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-11T19:25:20.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-03T22:33:52.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "My Calendar \u2013 Accessible Event Manager \u003c= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2355",
        "datePublished": "2026-03-04T11:22:29.620Z",
        "dateReserved": "2026-02-11T16:51:07.908Z",
        "dateUpdated": "2026-04-08T16:33:01.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2362 (GCVE-0-2026-2362)

    Vulnerability from cvelistv5 – Published: 2026-02-27 08:24 – Updated: 2026-04-08 17:15
    VLAI
    Title
    WP Accessibility <= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via 'alt' Attribute
    Summary
    The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description."
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    joedolson WP Accessibility Affected: 0 , ≤ 2.3.1 (semver)
    Create a notification for this product.
    Credits
    Quốc Huy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T16:38:20.481048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-06T18:45:14.718Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WP Accessibility",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qu\u1ed1c Huy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the \u0027alt\u0027 attribute of images processed by the \"Long Description UI\" feature in all versions up to, and including, 2.3.1. This is due to the plugin\u0027s JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the \"Long Description UI\" setting to be enabled and set to \"Link to description.\""
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:56.637Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b08284ad-717f-4bdb-8eaa-f44e9447ff25?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/trunk/js/wp-accessibility.js#L713"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/trunk/js/wp-accessibility.js#L807"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/tags/2.3.1/js/wp-accessibility.js#L713"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-accessibility/tags/2.3.1/js/wp-accessibility.js#L807"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464593%40wp-accessibility%2Ftrunk\u0026old=3446333%40wp-accessibility%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-11T19:25:20.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-26T19:26:02.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WP Accessibility \u003c= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via \u0027alt\u0027 Attribute"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2362",
        "datePublished": "2026-02-27T08:24:19.792Z",
        "dateReserved": "2026-02-11T18:02:23.893Z",
        "dateUpdated": "2026-04-08T17:15:56.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3752 (GCVE-0-2025-3752)

    Vulnerability from cvelistv5 – Published: 2025-04-25 04:23 – Updated: 2026-04-08 17:04
    VLAI
    Title
    Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter
    Summary
    The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-46475 may be a duplicate of this.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Peter Thaleikis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-25T19:24:23.723864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-25T19:24:58.156Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Able Player, accessible HTML5 media player",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018preload\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-46475 may be a duplicate of this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:04:39.477Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85c123ee-8de0-4800-b96b-68bb4d763560?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ableplayer/trunk/ableplayer.php#L375"
            },
            {
              "url": "https://wordpress.org/plugins/ableplayer/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3281106%40ableplayer\u0026new=3281106%40ableplayer"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Able Player, accessible HTML5 media player \u003c= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3752",
        "datePublished": "2025-04-25T04:23:05.578Z",
        "dateReserved": "2025-04-16T21:29:18.314Z",
        "dateUpdated": "2026-04-08T17:04:39.477Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3761 (GCVE-0-2025-3761)

    Vulnerability from cvelistv5 – Published: 2025-04-24 06:57 – Updated: 2026-04-08 16:59
    VLAI
    Title
    My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation
    Summary
    The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    ngocanh le
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3761",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-24T12:53:32.270957Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-24T13:06:47.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Tickets \u2013 Accessible Event Ticketing",
              "vendor": "joedolson",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ngocanh le"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Tickets \u2013 Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:59:28.189Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d875c23-3d8a-4f82-bea3-1c46b5045d94?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3280248/my-tickets/trunk/my-tickets.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-23T18:25:36.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "My Tickets \u2013 Accessible Event Ticketing \u003c= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3761",
        "datePublished": "2025-04-24T06:57:06.438Z",
        "dateReserved": "2025-04-17T12:33:35.406Z",
        "dateUpdated": "2026-04-08T16:59:28.189Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1274 (GCVE-0-2024-1274)

    Vulnerability from cvelistv5 – Published: 2024-04-02 05:15 – Updated: 2024-08-27 15:28
    VLAI
    Title
    My Calendar < 3.4.24 - Authenticated Stored XSS
    Summary
    The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/91dba45b-9930-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown My Calendar Affected: 0 , < 3.4.24 (semver)
    Create a notification for this product.
    joedolson my_calendar Affected: 0 , < 3.4.24 (semver)
        cpe:2.3:a:joedolson:my_calendar:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.374Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/91dba45b-9930-4bfb-a7bf-903c46864e9f/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:joedolson:my_calendar:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "my_calendar",
                "vendor": "joedolson",
                "versions": [
                  {
                    "lessThan": "3.4.24",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1274",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-02T18:32:31.343788Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T15:28:12.101Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "My Calendar",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.4.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-02T05:15:41.805Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/91dba45b-9930-4bfb-a7bf-903c46864e9f/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "My Calendar \u003c 3.4.24 - Authenticated Stored XSS",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-1274",
        "datePublished": "2024-04-02T05:15:41.805Z",
        "dateReserved": "2024-02-06T13:32:32.160Z",
        "dateUpdated": "2024-08-27T15:28:12.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6360 (GCVE-0-2023-6360)

    Vulnerability from cvelistv5 – Published: 2023-11-30 15:17 – Updated: 2024-10-10 20:19
    VLAI
    Summary
    The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 3.4.22 (custom)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.763Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2023-40"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6360",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-08T20:09:15.814409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T20:19:02.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "my-calendar",
              "versions": [
                {
                  "lessThan": "3.4.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe \u0027My Calendar\u0027 WordPress Plugin, version \u0026lt; 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the \u0027from\u0027 and \u0027to\u0027 parameters in the \u0027/my-calendar/v1/events\u0027 rest route.\u003c/span\u003e"
                }
              ],
              "value": "The \u0027My Calendar\u0027 WordPress Plugin, version \u003c 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the \u0027from\u0027 and \u0027to\u0027 parameters in the \u0027/my-calendar/v1/events\u0027 rest route."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-30T15:17:14.959Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2023-40"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2023-6360",
        "datePublished": "2023-11-30T15:17:14.959Z",
        "dateReserved": "2023-11-28T10:28:13.482Z",
        "dateUpdated": "2024-10-10T20:19:02.663Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-34377 (GCVE-0-2023-34377)

    Vulnerability from cvelistv5 – Published: 2023-08-05 22:51 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress My Content Management Plugin <= 1.7.6 is vulnerable to Cross Site Scripting (XSS)
    Summary
    Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin <= 1.7.6 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Joseph C Dolson My Content Management Affected: n/a , ≤ 1.7.6 (custom)
    Create a notification for this product.
    Credits
    emad (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T16:10:07.008Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/my-content-management/wordpress-my-content-management-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-34377",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T16:25:01.553637Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T16:52:35.098Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "my-content-management",
              "product": "My Content Management",
              "vendor": "Joseph C Dolson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.7.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.7.6",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "emad (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.7.6 versions.\u003c/span\u003e"
                }
              ],
              "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin \u003c=\u00a01.7.6 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:29.040Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/my-content-management/wordpress-my-content-management-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a01.7.7 or a higher version."
                }
              ],
              "value": "Update to\u00a01.7.7 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress My Content Management Plugin \u003c= 1.7.6 is vulnerable to Cross Site Scripting (XSS)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-34377",
        "datePublished": "2023-08-05T22:51:09.632Z",
        "dateReserved": "2023-06-02T15:45:18.620Z",
        "dateUpdated": "2026-04-28T16:08:29.040Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2012-6527 (GCVE-0-2012-6527)

    Vulnerability from cvelistv5 – Published: 2013-01-31 02:00 – Updated: 2024-08-06 21:28
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2012-01-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T21:28:39.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://wordpress.org/extend/plugins/my-calendar/changelog/"
              },
              {
                "name": "mycalendar-unspecified-xss(72454)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72454"
              },
              {
                "name": "51539",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/51539"
              },
              {
                "name": "47579",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/47579"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2012-01-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-28T12:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://wordpress.org/extend/plugins/my-calendar/changelog/"
            },
            {
              "name": "mycalendar-unspecified-xss(72454)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72454"
            },
            {
              "name": "51539",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/51539"
            },
            {
              "name": "47579",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/47579"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2012-6527",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://wordpress.org/extend/plugins/my-calendar/changelog/",
                  "refsource": "CONFIRM",
                  "url": "http://wordpress.org/extend/plugins/my-calendar/changelog/"
                },
                {
                  "name": "mycalendar-unspecified-xss(72454)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72454"
                },
                {
                  "name": "51539",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/51539"
                },
                {
                  "name": "47579",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/47579"
                },
                {
                  "name": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar",
                  "refsource": "CONFIRM",
                  "url": "http://plugins.trac.wordpress.org/changeset/490070/my-calendar"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2012-6527",
        "datePublished": "2013-01-31T02:00:00.000Z",
        "dateReserved": "2013-01-30T00:00:00.000Z",
        "dateUpdated": "2024-08-06T21:28:39.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }