CVE-2026-22351
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the WP FullCalendar WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. It affects WordPress sites using WP FullCalendar plugin versions up to and including 1.6. The vulnerability enables unauthorized access to functionality that should be restricted.
💻 Affected Systems
- WP FullCalendar WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify calendar events, delete content, or access administrative functions without authentication, potentially leading to site defacement, data loss, or privilege escalation.
Likely Case
Unauthorized users could view, create, modify, or delete calendar events they shouldn't have access to, disrupting site functionality and potentially exposing sensitive scheduling information.
If Mitigated
With proper access controls and authentication checks, the vulnerability would be prevented, maintaining normal plugin functionality with appropriate user permissions.
🎯 Exploit Status
The vulnerability involves missing authorization checks, which typically means simple HTTP requests can bypass intended access controls without complex exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP FullCalendar and check if update is available. 4. If update is available, click 'Update Now'. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable WP FullCalendar Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-fullcalendar
Restrict Access via Web Application Firewall
allConfigure WAF rules to block unauthorized access to calendar endpoints
🧯 If You Can't Patch
- Disable the WP FullCalendar plugin immediately
- Implement strict network access controls to limit who can access the WordPress site
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP FullCalendar version. If version is 1.6 or earlier, you are vulnerable.Check Version:
wp plugin get wp-fullcalendar --field=versionVerify Fix Applied:
After updating, verify WP FullCalendar version is greater than 1.6 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST/PUT/DELETE requests to /wp-admin/admin-ajax.php with calendar-related actions
- Failed authorization attempts for calendar functions from unexpected IPs
Network Indicators:
- Unusual HTTP requests to calendar endpoints from unauthenticated users
- Multiple rapid requests to admin-ajax.php with calendar parameters
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php") AND (action="*calendar*" OR params="*calendar*") AND (user="-" OR http_status=403)