PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6854 joedolson CVE debrief

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mc_auth' parameter in all versions up to, and including, 3.7.8. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Unauthenticated attackers can append additional SQL queries into existing queries to extract sensitive information from the database.

Vendor
joedolson
Product
My Calendar – Accessible Event Manager
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of the My Calendar – Accessible Event Manager plugin for WordPress, especially those with versions up to and including 3.7.8, should be aware of this vulnerability and take immediate action to protect their installations.

Technical summary

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection. The vulnerability exists in the 'mc_auth' parameter across all versions up to, and including, 3.7.8. The issue arises from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows unauthenticated attackers to inject additional SQL queries into existing ones, enabling the extraction of sensitive information from the database.

Defensive priority

High priority should be given to updating the My Calendar – Accessible Event Manager plugin to a version beyond 3.7.8. In the meantime, additional defensive measures such as monitoring for suspicious database queries and restricting access to the plugin's functionality should be considered.

Recommended defensive actions

  • Update the My Calendar – Accessible Event Manager plugin to the latest version.
  • Monitor database queries for suspicious activity.
  • Restrict access to the plugin's functionality.
  • Implement additional security measures to detect and prevent SQL injection attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-08T12:17:21.137Z and was last modified on 2026-07-08T14:55:07.843Z. The NVD entry is currently Deferred. References include Wordfence threat intelligence and WordPress Trac changeset.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:21.137Z and has not been modified since then. The NVD entry is currently Deferred.