{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24523", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:31.582Z", "datePublished": "2026-01-23T14:28:48.770Z", "dateUpdated": "2026-04-28T16:14:48.745Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-fullcalendar", "product": "WP FullCalendar", "vendor": "Marcus (aka @msykes)", "versions": [{"lessThanOrEqual": "1.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:57.605Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data.<p>This issue affects WP FullCalendar: from n/a through <= 1.6.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data.This issue affects WP FullCalendar: from n/a through <= 1.6."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.745Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress WP FullCalendar plugin <= 1.6 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T19:37:35.437130Z", "id": "CVE-2026-24523", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:10:49.617Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24523", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T19:37:35.437130Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T19:37:39.341Z"}}], "cna": {"title": "WordPress WP FullCalendar plugin <= 1.6 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Marcus (aka @msykes)", "product": "WP FullCalendar", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6"}], "packageName": "wp-fullcalendar", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:57.605Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data.This issue affects WP FullCalendar: from n/a through <= 1.6.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data.<p>This issue affects WP FullCalendar: from n/a through <= 1.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.636Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24523", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:17:31.322Z", "dateReserved": "2026-01-23T12:31:31.582Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:48.770Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data.This issue affects WP FullCalendar: from n/a through <= 1.6."}, {"lang": "es", "value": "Exposici\u00f3n de Informaci\u00f3n Sensible del Sistema a una Esfera de Control No Autorizada en Marcus (tambi\u00e9n conocido como @msykes) WP FullCalendar wp-fullcalendar permite Recuperar Datos Sensibles Incrustados. Este problema afecta a WP FullCalendar: desde n/a hasta &lt;= 1.6."}], "id": "CVE-2026-24523", "lastModified": "2026-04-28T15:16:10.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:08.047", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T22:30:30.151475+00:00", "value": {"mitigation_remediation": ["Upgrade the WP FullCalendar plugin to the latest available version (1.7 or newer).", "If the plugin is no longer required, uninstall or deactivate it to eliminate the exposure.", "Audit server logs for unusual access patterns to the plugin and revoke any compromised credentials."], "summary": {"action": "Patch Immediately", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Affected installations are sites running the WP FullCalendar plugin developed by Marcus (aka @msykes). All plugin versions from the first release up to and including 1.6 are vulnerable, regardless of WordPress core version or other plugin configuration.", "description_and_impact": "WordPress WP FullCalendar plugin versions 1.6 and earlier allow exposed system information to be retrieved by an unauthorized control sphere. This flaw arises from a failure to protect sensitive data within the plugin and is classified under CWE\u2011497, indicating insufficient handling of internal system resources. An attacker who can influence the plugin's behavior could use the exposed data to gain insight into the underlying WordPress environment or identify potential further attack vectors, thereby compromising confidentiality.", "risk_and_exploitability": "The CVSS v3.1 score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not flagged in the CISA KEV catalog. Attackers would likely need to interact with the plugin through a legitimate WordPress session or exploit a broader administrative access to read the exposed data; based on the description, it is inferred that the exploitation likely requires some level of authenticated interaction, implying that privileged users may be the primary targets."}}}}, "created": "2026-01-26T11:54:27.992650+00:00", "updated": "2026-04-28T22:30:41.641151+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}