My Calendar WordPress Plugin Unauthenticated IDOR Vulnerability Allowing Event Extraction or Denial-of-Service

A vulnerability in the My Calendar WordPress plugin, affecting versions through 3.7.6, allows unauthenticated users to exploit the mc_ajax_mcjs_action AJAX endpoint. This endpoint, available to all users, improperly validates user-supplied arguments, enabling the injection of arbitrary parameters, including site IDs. On WordPress Multisite installations, this flaw permits unauthorized attackers to use switch_to_blog() with any site ID, accessing calendar events from any sub-site, including private events. Conversely, on Single Site installations, the absence of switch_to_blog() leads to a PHP fatal error, crashing the worker thread and causing a denial-of-service condition.

Impact

Exploitation on Multisite networks results in unauthorized access to private calendar events across sub-sites. On Single Site installations, the vulnerability causes a PHP error that crashes the worker thread, creating an unauthenticated denial-of-service condition.

Reproduction

To reproduce the vulnerability on a WordPress Multisite installation, send a request to the wp-admin/admin-ajax.php file with the action parameter set to mcjs_action, the behavior parameter set to loadupcoming, and the args parameter containing a site ID from a sub-site with calendar events. This will trigger the switch_to_blog() function, allowing access to the calendar events from the specified sub-site. On a standard Single Site WordPress installation, the same request will cause an uncaught PHP fatal error by passing a truthy value to the site parameter, crashing the worker thread and creating a denial-of-service condition.

Remediation

Users are advised to update the My Calendar WordPress plugin to version 3.7.7 or later, where this vulnerability has been fixed.