CVE-2026-40308: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar

April 16, 2026

An unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector.

References

github.com/advisories/GHSA-2mvx-f5qm-v2ch
github.com/joedolson/my-calendar
github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch
nvd.nist.gov/vuln/detail/CVE-2026-40308

Code Behaviors & Features

Detect and mitigate CVE-2026-40308 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →