{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22351", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:19.920Z", "datePublished": "2026-02-20T15:47:00.722Z", "dateUpdated": "2026-04-28T16:47:54.145Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-fullcalendar", "product": "WP FullCalendar", "vendor": "Marcus (aka @msykes)", "versions": [{"lessThanOrEqual": "1.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:19:55.559Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP FullCalendar: from n/a through <= 1.6.</p>"}], "value": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through <= 1.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.359Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP FullCalendar plugin <= 1.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T20:56:35.420186Z", "id": "CVE-2026-22351", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:47:54.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T20:56:35.420186Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:56:55.476Z"}}], "cna": {"title": "WordPress WP FullCalendar plugin <= 1.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Marcus (aka @msykes)", "product": "WP FullCalendar", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6"}], "packageName": "wp-fullcalendar", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:19:55.559Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through <= 1.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP FullCalendar: from n/a through <= 1.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.773Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22351", "state": "PUBLISHED", "dateUpdated": "2026-04-24T17:46:47.863Z", "dateReserved": "2026-01-07T12:21:19.920Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:00.722Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through <= 1.6."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Marcus (tambi\u00e9n conocido como @msykes) WP FullCalendar wp-fullcalendar permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP FullCalendar: desde n/a hasta &lt;= 1.6."}], "id": "CVE-2026-22351", "lastModified": "2026-04-28T19:36:30.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:34.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP FullCalendar", "source": "cna", "vendor": "Marcus (aka @msykes)"}, "product": "wp_fullcalendar", "vendor": "marcus_(aka_@msykes)"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:36:55.540664+00:00", "value": {"mitigation_remediation": ["Update the WP FullCalendar plugin to version 1.7 or later to apply the vendor\u2011supplied fix.", "Restrict public access to the plugin's administrative URLs, using .htaccess rules or a security plugin, to reduce exposure.", "Review and enforce the plugin's access control settings, ensuring that only users with administrator privileges can perform event modification or creation."], "summary": {"action": "Patch", "impact": "Unauthorized privileged access"}, "threat_synthesis": {"affected_systems": "Version 1.6 and earlier of Marcus' WP FullCalendar WordPress plugin are affected. The vulnerability applies to all WordPress sites that have this plugin installed and activated, regardless of the website's configuration or host.", "description_and_impact": "Missing Authorization vulnerability in Marcus' WP FullCalendar plugin allows exploitation of incorrectly configured access control. The plugin does not enforce proper authorization for certain operations, enabling an attacker to perform privileged actions such as creating, modifying, or deleting calendar events, or viewing sensitive event data. This flaw is classified as CWE-862 and can compromise the confidentiality, integrity, and availability of the site's scheduling information.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity vulnerability. The EPSS score is less than 1%, suggesting a low probability of real-world exploitation at this time, and the flaw is not listed in the CISA KEV catalog. Based on the plugin's nature as a WordPress extension, the likely attack vector is remote HTTP requests to the plugin's endpoints. An attacker with any user access to the site, or who can send crafted requests, could exploit this weakness without needing additional privileges, making it a significant risk in environments lacking stricter access controls."}}}}, "created": "2026-02-23T14:36:42.648922+00:00", "updated": "2026-04-28T17:45:16.125614+00:00", "vendors": ["marcus_(aka_@msykes)", "marcus_(aka_@msykes)$PRODUCT$wp_fullcalendar", "wordpress", "wordpress$PRODUCT$wordpress"]}