CVE-2026-40308
published 2026-04-16CVE-2026-40308: My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for…
PriorityP267high8.8CVSS 4.0
AVNACLATNPRNUINVCHVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.93%
56.2th percentile
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joedolson | my-calendar | < 3.7.7 | 3.7.7 |
| joedolson | my-calendar | >= 0 < 3.7.7 | 3.7.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →On WordPress Multisite, an unauthenticated attacker injects a 'site' parameter via parse_str() in the mc_ajax_mcjs_action endpoint to call switch_to_blog() with an arbitrary site ID, enabling cross-site event data extraction. ↗
- →On Single Site WordPress installations, the same unauthenticated request to mc_ajax_mcjs_action with a 'site' parameter triggers a PHP fatal error (switch_to_blog() does not exist), crashing the worker thread — monitor for repeated 500-level errors or PHP fatal logs from this endpoint as a DoS indicator. ↗
- →Use Shodan or FOFA to identify exposed targets: Shodan query http.html:"/wp-content/plugins/my-calendar/" and FOFA query body="/wp-content/plugins/my-calendar/" && title="WordPress". ↗
- ·Exploitation path differs by WordPress installation type: Multisite yields information disclosure (private event extraction across sub-sites); Single Site yields unauthenticated denial of service via PHP fatal error. Detection logic should account for both scenarios. ↗
- ·The Nuclei template uses a two-step flow: first confirm plugin presence and version via readme.txt, then trigger the AJAX endpoint. Version check alone (<=3.7.6) is insufficient without confirming the endpoint response. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
My Calendar WordPress Plugin - Information Disclosure
nuclei·CVSS 8.8
CVE-2026-40308 [HIGH] My Calendar WordPress Plugin - Information Disclosure
My Calendar WordPress Plugin - Information Disclosure
My Calendar WordPress plugin <= 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parse_str() in mc_ajax_mcjs_action endpoint, letting unauthenticated attackers access or crash sites via switch_to_blog(), exploit requires WordPress Multisite or Single Site setup.
Template:
id: CVE-2026-40308
info:
name: My Calendar WordPress Plugin - Information Disclosure
author: theamanrawat
severity: high
description: |
My Calendar WordPress plugin <= 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parse_str() in mc_ajax_mcjs_action endpoint, letting unauthenticated attackers access or crash sites via switch_to_blog(), exploit requires WordPress Multisite or Single Site setup
No writeups or analysis indexed.
2026-04-16
Published