Private Google Calendars WordPress Plugin Missing Authorization Vulnerability Allowing Settings Reset

Vulnerability

A vulnerability exists in the Private Google Calendars plugin for WordPress, affecting all versions up to and including 20250811. The issue arises from a missing capability check on the 'pgc_remove' action, which allows authenticated attackers with Subscriber-level access and above to unauthorizedly modify data by resetting the plugin's settings.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the plugin's settings by authenticated users with Subscriber-level access or higher.

Added: Nov 11, 2025, 4:41 AM

Updated: Nov 11, 2025, 4:41 AM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

5.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

5.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Private Google Calendars WordPress Plugin Missing Authorization Vulnerability Allowing Settings Reset

Vulnerability

Impact

Affected Products

Private Google Calendars

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating