CVE-2025-67592

Vulnerability

Overview The My Calendar plugin for WordPress, versions 3.6.16 and earlier, suffers from a Missing Authorization vulnerability [1]. This issue stems from incorrectly configured access control security levels, which can lead to unauthorized actions being performed by an unauthenticated or low-privileged user.

Exploitation

Details An attacker can exploit this broken access control vulnerability by sending crafted requests that bypass the intended authorization checks [1]. No authentication or special privileges are required, as the missing authorization check allows any user to trigger functionality that should be restricted to higher-privileged roles.

Impact

Successful exploitation could allow an attacker to execute actions that are normally reserved for administrators or other privileged users, potentially leading to unauthorized modifications, data exposure, or other malicious activities within a WordPress site [1].

Mitigation

The vendor has released version 3.6.17, which addresses this vulnerability [1]. Users are strongly advised to update immediately. For sites that cannot be updated immediately, temporary mitigations (such as disabling the plugin or using a web application firewall) may reduce risk, but updating is the definitive solution [1].