PatchSiren cyber security CVE debrief
CVE-2026-6854 joedolson CVE debrief
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mc_auth' parameter in all versions up to, and including, 3.7.8. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Unauthenticated attackers can append additional SQL queries into existing queries to extract sensitive information from the database.
- Vendor
- joedolson
- Product
- My Calendar – Accessible Event Manager
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of the My Calendar – Accessible Event Manager plugin for WordPress, especially those with versions up to and including 3.7.8, should be aware of this vulnerability and take immediate action to protect their installations.
Technical summary
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection. The vulnerability exists in the 'mc_auth' parameter across all versions up to, and including, 3.7.8. The issue arises from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows unauthenticated attackers to inject additional SQL queries into existing ones, enabling the extraction of sensitive information from the database.
Defensive priority
High priority should be given to updating the My Calendar – Accessible Event Manager plugin to a version beyond 3.7.8. In the meantime, additional defensive measures such as monitoring for suspicious database queries and restricting access to the plugin's functionality should be considered.
Recommended defensive actions
- Update the My Calendar – Accessible Event Manager plugin to the latest version.
- Monitor database queries for suspicious activity.
- Restrict access to the plugin's functionality.
- Implement additional security measures to detect and prevent SQL injection attacks.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record was published on 2026-07-08T12:17:21.137Z and was last modified on 2026-07-08T14:55:07.843Z. The NVD entry is currently Deferred. References include Wordfence threat intelligence and WordPress Trac changeset.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:21.137Z and has not been modified since then. The NVD entry is currently Deferred.