Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
An unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector.