CVE-2026-7525

Source
https://cve.org/CVERecord?id=CVE-2026-7525
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7525.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7525
Published
2026-05-14T03:27:14.071Z
Modified
2026-07-08T08:15:05.337449656Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter
Details

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.

Database specific
{
    "cna_assigner": "Wordfence",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7525.json"
}
References

Affected packages

Git / github.com/joedolson/my-calendar

Affected ranges

Type
GIT
Repo
https://github.com/joedolson/my-calendar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.7.9"
        }
    ]
}

Affected versions

3.*
3.2.0-RC1
v.*
v.3.0.6
v3.*
v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.3
v3.0.4
v3.0.5
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.2
v3.1.3
v3.1.4
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-beta
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.8
v3.2.9
v3.3.0
v3.3.0-RC1
v3.3.0-RC2
v3.3.0-RC3
v3.3.0-RC4
v3.3.0-alpha-2
v3.3.0-beta-1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.18
v3.3.19
v3.3.2
v3.3.20
v3.3.21
v3.3.22
v3.3.23
v3.3.24
v3.3.24.1
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.0-RC-1
v3.4.0-RC-2
v3.4.0-RC-3
v3.4.0-RC-4
v3.4.0-beta-1
v3.4.0-beta-2
v3.4.0-beta-3
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.20
v3.4.21
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.5.0
v3.5.0-alpha
v3.5.0-beta1
v3.5.0-beta2
v3.5.0-beta3
v3.5.0-rc1
v3.5.0-rc2
v3.5.1
v3.5.10
v3.5.11
v3.5.12
v3.5.13
v3.5.14
v3.5.15
v3.5.16
v3.5.17
v3.5.18
v3.5.19
v3.5.2
v3.5.20
v3.5.21
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v3.5.9
v3.6.0
v3.6.0-RC1
v3.6.0-beta1
v3.6.1
v3.6.10
v3.6.11
v3.6.12
v3.6.13
v3.6.14
v3.6.15
v3.6.16
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.6.6
v3.6.7
v3.6.8
v3.6.9
v3.7.0
v3.7.0-beta
v3.7.0-rc1
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.7.6
v3.7.7
v3.7.8
v3.7.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7525.json"