{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1310", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T20:23:26.889Z", "datePublished": "2026-01-28T06:43:45.172Z", "dateUpdated": "2026-04-08T17:29:46.743Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:46.743Z"}, "affected": [{"vendor": "migaweb", "product": "Simple calendar for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID."}], "title": "Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-01-27T18:06:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:50:03.775623Z", "id": "CVE-2026-1310", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:50:23.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1310", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:50:03.775623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:50:16.758Z"}}], "cna": {"title": "Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "migaweb", "product": "Simple calendar for Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-27T18:06:15.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-28T06:43:45.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1310", "state": "PUBLISHED", "dateUpdated": "2026-01-28T14:50:23.612Z", "dateReserved": "2026-01-21T20:23:26.889Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T06:43:45.172Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID."}, {"lang": "es", "value": "El plugin Simple calendar para Elementor para WordPress es vulnerable a Falta de Autorizaci\u00f3n en todas las versiones hasta la 1.6.6, inclusive. Esto se debe a la falta de comprobaciones de capacidad en la funci\u00f3n `miga_ajax_editor_cal_delete` que est\u00e1 enganchada a la acci\u00f3n AJAX `miga_editor_cal_delete` con acceso autenticado y no autenticado habilitado. Esto hace posible que atacantes no autenticados eliminen entradas de calendario arbitrarias enviando una solicitud con un nonce v\u00e1lido y el ID de la entrada del calendario."}], "id": "CVE-2026-1310", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T07:16:00.900", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T17:35:13.207706+00:00", "value": {"mitigation_remediation": ["Upgrade Simple calendar for Elementor to the latest release (1.6.7 or newer) where the AJAX handler enforces proper capability checks.", "If an upgrade is not immediately possible, block unauthenticated access to the miga_editor_cal_delete AJAX action, for example by disabling the action or by configuring a firewall rule that requires authentication for any request to /wp-admin/admin-ajax.php with the action miga_editor_cal_delete.", "Apply a site\u2011wide content or access restriction to delete operations via a security plugin or web\u2011application firewall, ensuring that only users with appropriate roles can trigger deletion of calendar entries."], "summary": {"action": "Upgrade Plugin", "impact": "Deletion of calendar entries by unauthenticated users"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the migaweb Simple calendar for Elementor plugin, versions 1.6.6 and earlier. The vulnerability is present in any deployment of these plugin versions because the insecure AJAX action is registered unconditionally.", "description_and_impact": "The Simple calendar for Elementor plugin for WordPress contains a missing authorization check on the miga_ajax_editor_cal_delete function, which is hooked to the miga_editor_cal_delete AJAX action and exposed to both authenticated and unauthenticated requests. An attacker can send a request that includes a valid nonce and a specific calendar entry ID to the AJAX handler, causing that entry to be deleted. Since the action bypasses all capability checks, unauthenticated users are able to remove arbitrary entries, leading to unintended loss of content and potential disruption of calendar functionality for site users. This flaw is identified as CWE-862, \"Missing Authorization\".", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity. The EPSS score is less than 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of real\u2011world exploitation at present. The likely attack vector is a web\u2011based AJAX request that includes a valid nonce; the requirement for a nonce may constrain immediate exploitation but does not eliminate the risk if an attacker can acquire or guess a nonce from the site context. Overall, the threat is moderate but the current probability of exploitation is low."}}}}, "created": "2026-01-29T09:18:21.200504+00:00", "updated": "2026-04-15T18:00:15.532443+00:00", "vendors": ["migaweb", "migaweb$PRODUCT$simple_calendar_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}