Cyber Resilience

CVE-2026-40308

High

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0093 56.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40308 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability affects the My Calendar WordPress plugin in versions 3.7.6 and below. The mc_ajax_mcjs_action AJAX endpoint, which is registered for unauthenticated users, passes attacker-supplied arguments through parse_str() without validation. This permits injection of arbitrary parameters, including a site value that reaches switch_to_blog() on multisite installations or triggers an uncaught fatal error on single-site setups.

An unauthenticated remote attacker can supply a crafted request to the endpoint and, on WordPress multisite, invoke switch_to_blog() with an arbitrary site identifier to retrieve calendar events from any subsite, including private or hidden ones. On single-site installations the same request produces a PHP fatal error that crashes the worker thread, resulting in an unauthenticated denial of service. The CVSS 4.0 score of 8.8 reflects network-exploitable confidentiality and availability impact without authentication or user interaction.

The flaw is resolved in version 3.7.7, as stated in the project release notes and the accompanying GitHub security advisories. The EPSS score has remained flat at 0.0310 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On…

more

WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Unauthenticated remote exploitation of public-facing WordPress plugin (T1190) enabling data access bypass and worker-thread DoS via fatal error (T1499).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2026-5396Shared CWE-639

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References