{"id":"CVE-2026-40308","summary":"My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog","details":"My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.","aliases":["GHSA-2mvx-f5qm-v2ch"],"modified":"2026-07-08T08:15:05.038240539Z","published":"2026-04-16T21:30:52.401Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40308.json","cwe_ids":["CWE-639"]},"references":[{"type":"WEB","url":"https://github.com/joedolson/my-calendar/releases/tag/v3.7.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40308.json"},{"type":"ADVISORY","url":"https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40308"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/joedolson/my-calendar","events":[{"introduced":"0"},{"fixed":"9b58483dccb75a596014213ffe3376eb2d330f1a"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"3.7.7"}]}}],"versions":["v3.7.6","v3.7.5","v3.7.4","v3.7.3","v3.7.2","v3.7.1","v3.7.0","v3.7.0-rc1","v3.7.0-beta","v3.6.16","v3.6.15","v3.6.14","v3.6.13","v3.6.12","v3.6.11","v3.6.10","v3.6.9","v3.6.8","v3.6.7","v3.6.6","v3.6.5","v3.6.4","v3.6.3","v3.6.2","v3.6.1","v3.6.0","v3.6.0-RC1","v3.6.0-beta1","v3.5.21","v3.5.20","v3.5.19","v3.5.18","v3.5.17","v3.5.16","v3.5.15","v3.5.14","v3.5.13","v3.5.12","v3.5.11","v3.5.10","v3.5.9","v3.5.8","v3.5.7","v3.5.6","v3.5.5","v3.5.4","v3.5.3","v3.5.2","v3.5.1","v3.5.0","v3.5.0-rc2","v3.5.0-rc1","v3.5.0-beta3","v3.5.0-beta2","v3.5.0-beta1","v3.5.0-alpha","v3.4.21","v3.4.20","v3.4.19","v3.4.18","v3.4.17","v3.4.16","v3.4.15","v3.4.14","v3.4.13","v3.4.12","v3.4.11","v3.4.10","v3.4.9","v3.4.8","v3.4.7","v3.4.6","v3.4.5","v3.4.4","v3.4.3","v3.4.2","v3.4.1","v3.4.0","v3.4.0-RC-4","v3.4.0-RC-3","v3.4.0-RC-2","v3.4.0-RC-1","v3.4.0-beta-3","v3.4.0-beta-2","v3.4.0-beta-1","v3.3.24.1","v3.3.24","v3.3.23","v3.3.22","v3.3.21","v3.3.20","v3.3.19","v3.3.18","v3.3.17","v3.3.16","v3.3.15","v3.3.14","v3.3.13","v3.3.12","v3.3.11","v3.3.10","v3.3.9","v3.3.8","v3.3.7","v3.3.6","v3.3.5","v3.3.4","v3.3.3","v3.3.2","v3.3.1","v3.3.0","v3.3.0-RC4","v3.3.0-RC3","v3.3.0-RC2","v3.3.0-RC1","v3.3.0-beta-1","v3.3.0-alpha-2","v3.2.17","v3.2.16","v3.2.15","v3.2.14","v3.2.13","v3.2.12","v3.2.11","v3.2.10","v3.2.9","v3.2.8","v3.2.6","v3.2.5","v3.2.4","v3.2.3","v3.2.2","v3.2.0","3.2.0-RC1","v3.2.0-beta","v3.1.18","v3.1.17","v3.1.16","v3.1.15","v3.1.14","v3.1.13","v3.1.12","v3.1.11","v3.1.10","v3.1.9","v3.1.8","v3.1.7","v3.1.6","v3.1.4","v3.1.3","v3.1.2","v3.1.1","v3.1.0","v3.0.18","v3.0.17","v3.0.16","v3.0.15","v3.0.14","v3.0.13","v3.0.12","v3.0.11","v3.0.10","v3.0.9","v3.0.8","v3.0.7","v.3.0.6","v3.0.5","v3.0.4","v3.0.3","v3.0.1","v3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40308.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"}]}