CVE-2026-1310
📋 TL;DR
The Simple calendar for Elementor WordPress plugin has a missing authorization vulnerability that allows unauthenticated attackers to delete arbitrary calendar entries. This affects all versions up to and including 1.6.6. Any WordPress site using this vulnerable plugin is at risk.
💻 Affected Systems
- Simple calendar for Elementor WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete all calendar entries, causing data loss and disrupting website functionality that depends on calendar data.
Likely Case
Attackers delete some calendar entries, causing minor to moderate disruption to website content and user experience.
If Mitigated
With proper authorization controls, only authorized users can delete calendar entries, preventing unauthorized modifications.
🎯 Exploit Status
Exploitation requires sending a crafted AJAX request with a valid nonce and calendar entry ID. Nonces can be obtained from other plugin pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.6.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Simple calendar for Elementor'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 1.6.6.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove the vulnerable AJAX action hook to prevent exploitation
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_miga_editor_cal_delete', 'miga_ajax_editor_cal_delete'); remove_action('wp_ajax_miga_editor_cal_delete', 'miga_ajax_editor_cal_delete');
Temporarily disable plugin
linuxDeactivate the plugin until patched
wp plugin deactivate simple-calendar-for-elementor
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the miga_editor_cal_delete AJAX endpoint
- Restrict access to WordPress admin and AJAX endpoints using IP whitelisting or authentication
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Simple calendar for Elementor' version 1.6.6 or lowerCheck Version:
wp plugin list --name='simple-calendar-for-elementor' --field=versionVerify Fix Applied:
Verify plugin version is above 1.6.6 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=miga_editor_cal_delete
- Unusual calendar entry deletions in plugin logs
Network Indicators:
- POST requests to admin-ajax.php with miga_editor_cal_delete parameter from unexpected IPs
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="miga_editor_cal_delete"🔗 References
- https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3
- https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve
