{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1987", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T15:13:29.984Z", "datePublished": "2026-02-14T06:42:37.284Z", "dateUpdated": "2026-04-08T17:34:57.193Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:57.193Z"}, "affected": [{"vendor": "morelmathieuj", "product": "Scheduler Widget", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID."}], "title": "Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158"}, {"url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References"}, {"url": "https://cwe.mitre.org/data/definitions/639.html"}, {"url": "https://cwe.mitre.org/data/definitions/862.html"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "MD. TAREQ AHAMED JONY"}], "timeline": [{"time": "2026-02-13T18:27:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:28.901404Z", "id": "CVE-2026-1987", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:45:11.666Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1987", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:28.901404Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:29.585Z"}}], "cna": {"title": "Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification", "credits": [{"lang": "en", "type": "finder", "value": "MD. TAREQ AHAMED JONY"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "morelmathieuj", "product": "Scheduler Widget", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:27:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158"}, {"url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References"}, {"url": "https://cwe.mitre.org/data/definitions/639.html"}, {"url": "https://cwe.mitre.org/data/definitions/862.html"}], "descriptions": [{"lang": "en", "value": "The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:57.193Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1987", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:57.193Z", "dateReserved": "2026-02-05T15:13:29.984Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:37.284Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID."}, {"lang": "es", "value": "El plugin Scheduler Widget para WordPress es vulnerable a una referencia directa insegura a objetos (IDOR) en todas las versiones hasta la 0.1.6, inclusive. Esto se debe a que la funci\u00f3n 'scheduler_widget_ajax_save_event()' carece de comprobaciones de autorizaci\u00f3n adecuadas y verificaci\u00f3n de propiedad al actualizar eventos. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, modificar cualquier evento en el programador a trav\u00e9s del par\u00e1metro 'id' siempre que conozcan el ID del evento."}], "id": "CVE-2026-1987", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:12.493", "references": [{"source": "security@wordfence.com", "url": "https://cwe.mitre.org/data/definitions/639.html"}, {"source": "security@wordfence.com", "url": "https://cwe.mitre.org/data/definitions/862.html"}, {"source": "security@wordfence.com", "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.6]"}}], "product": "scheduler_widget", "vendor": "morelmathieuj"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:24:45.025373+00:00", "value": {"mitigation_remediation": ["Upgrade the Scheduler Widget plugin to a version with proper authorization checks for event modifications.", "If an upgrade is not possible and the plugin is required, remove or disable the plugin to prevent exposure until a fix is released.", "For sites that must continue to use the plugin, consider tightening role permissions so that Subscribers cannot perform event edits, or add custom code to enforce event ownership checks before invoking the AJAX handler."], "summary": {"action": "Update Plugin", "impact": "Arbitrary event modification via insecure direct object reference"}, "threat_synthesis": {"affected_systems": "All installations of the Scheduler Widget plugin for WordPress, from vendor morelmathieuj, with version 0.1.6 or earlier are affected. Any WordPress site that has installed this plugin and has users with Subscriber role or higher is potentially impacted.", "description_and_impact": "The Scheduler Widget plugin for WordPress is vulnerable to an insecure direct object reference in the scheduler_widget_ajax_save_event() handler. The function accepts an event id parameter but does not perform authorization checks or ownership verification, allowing any authenticated user who has Subscriber-level access or higher to modify the data of any event. This flaw can enable a user to change event schedules or details, potentially disrupting scheduled events or exposing sensitive information. The flaw is classified as CWE-639.", "risk_and_exploitability": "The CVSS base score is 5.4, indicating moderate severity, and the EPSS score is less than 1%, implying a very low exploitation probability. The vulnerability is not currently listed in CISA's KEV catalog, suggesting it has not been widely exploited. An attacker would need to be authenticated on the site with a Subscriber role or higher and possess knowledge of the numeric event ID. Once authenticated, the attacker can send an AJAX request to the plugin\u2019s save endpoint with the target event ID to create or alter any event. No additional conditions are specified, so the attack is relatively straightforward for an insider or compromised account."}}}}, "created": "2026-02-16T12:01:59.607070+00:00", "updated": "2026-04-15T18:30:10.949245+00:00", "vendors": ["morelmathieuj", "morelmathieuj$PRODUCT$scheduler_widget", "wordpress", "wordpress$PRODUCT$wordpress"]}