cbcvebase.
CVE-2026-40308
published 2026-04-16

CVE-2026-40308: My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for…

PriorityP267high8.8CVSS 4.0
AVNACLATNPRNUINVCHVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.93%
56.2th percentile
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

Affected

2 ranges
VendorProductVersion rangeFixed in
joedolsonmy-calendar< 3.7.73.7.7
joedolsonmy-calendar>= 0 < 3.7.73.7.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=mcjs_action&behavior=loadupcoming&args&site=1
path/wp-content/plugins/my-calendar/readme.txt
otheraction=mcjs_action
  • On WordPress Multisite, an unauthenticated attacker injects a 'site' parameter via parse_str() in the mc_ajax_mcjs_action endpoint to call switch_to_blog() with an arbitrary site ID, enabling cross-site event data extraction.
  • On Single Site WordPress installations, the same unauthenticated request to mc_ajax_mcjs_action with a 'site' parameter triggers a PHP fatal error (switch_to_blog() does not exist), crashing the worker thread — monitor for repeated 500-level errors or PHP fatal logs from this endpoint as a DoS indicator.
  • Use Shodan or FOFA to identify exposed targets: Shodan query http.html:"/wp-content/plugins/my-calendar/" and FOFA query body="/wp-content/plugins/my-calendar/" && title="WordPress".
  • ·Exploitation path differs by WordPress installation type: Multisite yields information disclosure (private event extraction across sub-sites); Single Site yields unauthenticated denial of service via PHP fatal error. Detection logic should account for both scenarios.
  • ·The Nuclei template uses a two-step flow: first confirm plugin presence and version via readme.txt, then trigger the AJAX endpoint. Version check alone (<=3.7.6) is insufficient without confirming the endpoint response.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.