Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11896

CVE-2026-11896: My Calendar Plugin Info Disclosure Bug

CVE-2026-11896 is an information disclosure vulnerability in the My Calendar plugin for WordPress that exposes non-public event data. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-11896 Overview

CVE-2026-11896 is an Insecure Direct Object Reference [CWE-639] vulnerability in the My Calendar – Accessible Event Manager plugin for WordPress. The flaw affects all versions up to and including 3.7.14. The plugin fails to validate a user-controlled key in the vcal parameter, allowing unauthenticated attackers to enumerate occurrence IDs. Successful exploitation exposes the full iCalendar export of non-public, draft, trashed, and personal calendar events. Disclosed data includes event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.

Critical Impact

Unauthenticated attackers can enumerate event occurrence IDs and retrieve iCalendar exports containing sensitive metadata from non-public, draft, trashed, and personal events.

Affected Products

  • My Calendar – Accessible Event Manager plugin for WordPress
  • All versions up to and including 3.7.14
  • WordPress sites exposing the plugin's iCalendar export endpoint

Discovery Timeline

  • 2026-07-02 - CVE-2026-11896 published to the National Vulnerability Database
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-11896

Vulnerability Analysis

The vulnerability resides in the plugin's iCalendar export handler. The vcal request parameter accepts a user-controlled identifier that maps directly to an event occurrence in the database. The plugin dereferences this identifier without validating whether the requester has permission to view the associated event. Because the check is missing, the export function returns the full iCalendar payload for any referenced occurrence regardless of its publication status.

The impact is confidentiality-focused. Attackers do not need authentication, user interaction, or elevated privileges to reach the vulnerable code path. Draft, trashed, private, and personal events are all reachable through predictable numeric occurrence IDs. Exposed metadata includes event titles, descriptions, dates, locations, organizer names, host details, and permalinks, which can be aggregated for reconnaissance or targeted phishing.

Root Cause

The root cause is missing authorization on a user-controlled key, which is the canonical pattern for Insecure Direct Object Reference [CWE-639]. The iCalendar export function trusts the vcal parameter as an authorization token when it is only an object identifier. No capability check, nonce verification, or event visibility check gates the response. Relevant source lines are referenced in the plugin trunk at includes/ical.php and my-calendar-api.php.

Attack Vector

Exploitation occurs over the network against a publicly reachable WordPress site running a vulnerable plugin version. An attacker issues HTTP GET requests to the My Calendar endpoint while iterating numeric values in the vcal parameter. Each valid identifier returns an iCalendar file containing the private event data. The technique is trivial to automate and produces no authentication artifacts. See the Wordfence Vulnerability Report and WordPress My Calendar iCal source for technical details.

// No verified exploit code available.
// Attack pattern: HTTP GET requests to the My Calendar export endpoint
// with sequentially incremented values in the vcal parameter,
// harvesting iCalendar responses for non-public occurrence IDs.

Detection Methods for CVE-2026-11896

Indicators of Compromise

  • Repeated HTTP GET requests to the My Calendar endpoint containing the vcal query parameter with sequentially incrementing numeric values.
  • Unusual volume of text/calendar or .ics responses served from /wp-content/plugins/my-calendar/ or associated API routes.
  • Requests from a single source IP enumerating a wide range of event occurrence identifiers within a short window.

Detection Strategies

  • Inspect web server access logs for the vcal parameter and flag sessions retrieving more iCalendar exports than a normal user would consume.
  • Correlate WordPress access logs with plugin version inventory to identify sites still running My Calendar 3.7.14 or earlier.
  • Alert on unauthenticated clients receiving iCalendar payloads referencing draft, trashed, or private events.

Monitoring Recommendations

  • Enable verbose WordPress request logging for plugin endpoints and forward logs to a centralized analytics or SIEM platform.
  • Rate-limit requests to the My Calendar export endpoint at the reverse proxy or web application firewall layer.
  • Track outbound bandwidth spikes on .ics content types that could indicate bulk enumeration.

How to Mitigate CVE-2026-11896

Immediate Actions Required

  • Update the My Calendar – Accessible Event Manager plugin to a version later than 3.7.14 as soon as the vendor-patched release is available.
  • Audit existing calendars for draft, trashed, or personal events containing sensitive metadata and rotate any data considered exposed.
  • Restrict access to the plugin's iCalendar export endpoint at the web application firewall until patching is confirmed.

Patch Information

The fix is tracked in the plugin's trunk. Review the WordPress My Calendar Changeset Details for the code changes that add validation on the user-controlled key. Site administrators should upgrade through the standard WordPress plugin update mechanism once the patched release is published.

Workarounds

  • Deploy a web application firewall rule that blocks unauthenticated requests carrying the vcal parameter to the My Calendar endpoint.
  • Temporarily disable the My Calendar plugin on sites that publish sensitive draft or private events until the patched version is deployed.
  • Set draft and personal events to a separate calendar that is not rendered by the plugin's public export routines.
bash
# Example WAF rule (ModSecurity syntax) to block unauthenticated vcal enumeration
SecRule REQUEST_URI "@contains vcal=" \
    "id:1026118960,\
    phase:1,\
    deny,\
    status:403,\
    log,\
    msg:'Block My Calendar vcal IDOR enumeration (CVE-2026-11896)'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.