CVE-2026-40308
Published: 16 April 2026
Summary
CVE-2026-40308 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability affects the My Calendar WordPress plugin in versions 3.7.6 and below. The mc_ajax_mcjs_action AJAX endpoint, which is registered for unauthenticated users, passes attacker-supplied arguments through parse_str() without validation. This permits injection of arbitrary parameters, including a site value that reaches switch_to_blog() on multisite installations or triggers an uncaught fatal error on single-site setups.
An unauthenticated remote attacker can supply a crafted request to the endpoint and, on WordPress multisite, invoke switch_to_blog() with an arbitrary site identifier to retrieve calendar events from any subsite, including private or hidden ones. On single-site installations the same request produces a PHP fatal error that crashes the worker thread, resulting in an unauthenticated denial of service. The CVSS 4.0 score of 8.8 reflects network-exploitable confidentiality and availability impact without authentication or user interaction.
The flaw is resolved in version 3.7.7, as stated in the project release notes and the accompanying GitHub security advisories. The EPSS score has remained flat at 0.0310 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23306
Vulnerability details
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On…
more
WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing WordPress plugin (T1190) enabling data access bypass and worker-thread DoS via fatal error (T1499).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.