My Calendar WordPress Plugin Authorization Bypass Vulnerability Allowing Unauthorized Event Publication

A vulnerability exists in the My Calendar – Accessible Event Manager plugin for WordPress, affecting all versions up to and including 3.7.9. The issue stems from the plugin's failure to properly verify user authorization for certain actions. This flaw enables authenticated attackers with custom-level access or higher to bypass the normal moderation and approval processes. Exploitation involves manipulating the POST request to publish events or change event statuses to unauthorized options like 'cancelled' or 'private', contrary to the permissions of their assigned role. Although the user interface restricts lower-privilege users to saving drafts, this limitation is only enforced on the client side, leaving it vulnerable to bypass via direct POST request modifications.

Impact

Exploitation of this vulnerability allows for unauthorized event publication and manipulation of event statuses, disrupting the intended moderation workflow.

Reproduction

To reproduce this vulnerability, an authenticated user with custom-level access can manually alter the POST request data. This can be done using browser developer tools or a plugin that modifies request data before it is sent. The user can bypass the client-side restrictions and submit events with unauthorized statuses such as 'cancelled' or 'private'.

Remediation

Users are advised to update the My Calendar – Accessible Event Manager plugin to version 3.7.10 or a newer patched version.