PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7525 Plugins CVE debrief

CVE-2026-7525 affects the My Calendar – Accessible Event Manager WordPress plugin through version 3.7.9. The issue is a missing authorization check in event submission handling, which can let authenticated users with custom-level access and above bypass the intended moderation workflow by tampering with the POST body. The UI’s draft-only restriction for low-privilege users is enforced client-side only, so it is not a reliable control.

Vendor
Plugins
Product
Unknown
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-14
Advisory published
2026-05-14
Advisory updated
2026-05-14

Who should care

WordPress administrators, site owners, and security teams running the My Calendar plugin—especially installations that allow non-admin users to submit or manage events and rely on moderation before publication.

Technical summary

The advisory describes an authorization bypass (CWE-862) in the My Calendar event editor flow. According to the supplied source, the plugin does not properly verify that the requester is authorized to perform the requested action. As a result, authenticated attackers with custom-level access and above can alter POST parameters to publish events or assign other statuses such as cancelled or private, despite the UI presenting a draft-only submit option to lower-privilege users. The provided references include plugin source locations in versions 3.7.4, 3.7.9, and trunk, plus an upstream commit reference tied to the fix.

Defensive priority

Medium. The issue is network-reachable and requires authentication, but it can directly undermine event moderation and content integrity in deployments that accept untrusted event submissions.

Recommended defensive actions

  • Update My Calendar to a version newer than 3.7.9 once a fixed release is available from the vendor.
  • Review any roles that can create or edit events; remove unnecessary event-submission privileges from non-admin users.
  • Verify that server-side authorization checks, not just UI controls, enforce event status changes and publication paths.
  • Audit existing events for unexpected status changes such as published, private, or cancelled entries.
  • Monitor application logs and administrative activity for unusual POST requests to the event editor endpoints.
  • If immediate patching is not possible, restrict access to event submission features to trusted administrators only.

Evidence notes

The supplied advisory states that the issue affects all versions up to and including 3.7.9 and is caused by missing authorization verification. It also states that the draft-only limitation for low-privilege users is client-side and can be bypassed by directly manipulating the POST request. The source corpus includes references to the My Calendar plugin source in 3.7.4, 3.7.9, and trunk, as well as an upstream commit reference and official CVE/NVD records. GitHub labels the advisory as unreviewed in the provided metadata.

Official resources

Published in the supplied source on 2026-05-14T06:31:32Z and modified at 2026-05-14T06:31:40Z. The source item is marked unreviewed in the GitHub Advisory Database metadata. NVD published the record earlier the same day at 2026-05-14T05:16: