Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22351

CVE-2026-22351: WP FullCalendar Auth Bypass Vulnerability

CVE-2026-22351 is an authorization bypass flaw in WP FullCalendar plugin for WordPress that allows attackers to exploit misconfigured access controls. This article covers technical details, affected versions, and fixes.

Updated:

CVE-2026-22351 Overview

CVE-2026-22351 is a Missing Authorization vulnerability [CWE-862] in the WP FullCalendar WordPress plugin maintained by Marcus (@msykes). The flaw stems from incorrectly configured access control security levels, allowing unauthenticated network-based actors to interact with plugin functionality that should be restricted. The issue affects WP FullCalendar versions up to and including 1.6.

The vulnerability carries a CVSS 3.1 score of 7.5 and impacts confidentiality without requiring authentication or user interaction. No public exploit code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Critical Impact

Unauthenticated attackers can abuse broken access control in WP FullCalendar to access protected data exposed through the plugin's calendar endpoints.

Affected Products

  • WP FullCalendar plugin for WordPress, versions up to and including 1.6
  • WordPress sites running the plugin with default access control settings
  • Maintainer: Marcus (@msykes)

Discovery Timeline

  • 2026-02-20 - CVE-2026-22351 published to NVD
  • 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-22351

Vulnerability Analysis

The WP FullCalendar plugin exposes functionality through WordPress AJAX or REST endpoints without enforcing appropriate capability checks. The plugin treats certain actions as accessible to any visitor rather than restricting them to authorized roles. Attackers can craft direct HTTP requests to plugin endpoints and retrieve information that the WordPress permission model should gate.

The vulnerability is classified under [CWE-862: Missing Authorization]. The CVSS vector indicates the attack is reachable over the network with low complexity and no privileges, and it impacts the confidentiality of data returned by the plugin. Integrity and availability are not affected, which aligns with a read-oriented information exposure rather than a modification or denial-of-service flaw.

EPSS scoring data places the probability of observed exploitation at a low level as of mid-2026, but the absence of authentication requirements lowers the barrier for opportunistic scanning once details are public.

Root Cause

The root cause is the absence of current_user_can() capability checks, nonce validation, or equivalent authorization logic on plugin handlers. Functions that should validate the requester's role execute their business logic immediately upon receiving a request.

Attack Vector

An attacker sends an unauthenticated HTTP request to the vulnerable plugin endpoint. The endpoint processes the request and returns calendar data or other resources that should remain restricted. No user interaction or prior account is required.

The vulnerability is described in prose only; no verified proof-of-concept code is published. For technical specifics, refer to the Patchstack WordPress Vulnerability Notice.

Detection Methods for CVE-2026-22351

Indicators of Compromise

  • Unauthenticated HTTP GET or POST requests to wp-admin/admin-ajax.php referencing WP FullCalendar actions
  • Spikes in anonymous traffic to plugin endpoints from a small number of source IP addresses
  • Web server access logs showing repeated calendar-related queries with no associated session cookies

Detection Strategies

  • Inventory WordPress installations and identify any running WP FullCalendar version 1.6 or earlier
  • Review web application firewall logs for requests targeting the plugin's AJAX actions without authentication
  • Correlate WordPress audit logs with access logs to identify endpoint calls that bypass normal user workflows

Monitoring Recommendations

  • Enable WordPress activity logging to capture anonymous requests reaching plugin handlers
  • Forward web server and WAF logs to a centralized SIEM for retention and analytics
  • Alert on unusual outbound data volumes from WordPress hosts that could indicate scraping of exposed records

How to Mitigate CVE-2026-22351

Immediate Actions Required

  • Identify all WordPress sites with WP FullCalendar installed and confirm the installed version
  • Disable or remove the WP FullCalendar plugin on sites where a patched release is not yet available
  • Restrict access to wp-admin/admin-ajax.php for unauthenticated users where business workflows permit

Patch Information

At the time of publication, the advisory lists affected versions through 1.6. Administrators should consult the Patchstack WordPress Vulnerability Notice for the latest fixed version and upgrade guidance, and apply the vendor-supplied update once available.

Workarounds

  • Deploy WAF rules that block unauthenticated requests to WP FullCalendar AJAX actions
  • Place the plugin's endpoints behind an authentication proxy or IP allowlist where feasible
  • Remove the plugin entirely if its functionality is not required on the affected site
bash
# Example: list and deactivate the plugin using WP-CLI
wp plugin list --name=wp-fullcalendar --fields=name,status,version
wp plugin deactivate wp-fullcalendar

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne