GHSA-2mvx-f5qm-v2ch

Summary

An unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector.

Details

The vulnerability stems from the mc_ajax_mcjs_action AJAX function, which handles the mcjs_action endpoint. This endpoint is explicitly registered for unauthenticated users:

<?php
// In my-calendar-ajax.php
add_action( 'wp_ajax_nopriv_mcjs_action', 'mc_ajax_mcjs_action' );

When the behavior parameter is set to loadupcoming, the plugin accepts an args parameter from the $_REQUEST array. Instead of validating specific expected arguments, the plugin unsafely passes the entire string into PHP's parse_str() function:

<?php
$request = isset( $_REQUEST['args'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['args'] ) ) : array();
$request = str_replace( '|', '&', $request );
$request = parse_str( $request, $args );
// ...
$response = my_calendar_upcoming_events( $args );

This allows an attacker to inject arbitrary key-value pairs into the $args array. This array is then passed to the my_calendar_upcoming_events() function located in my-calendar-widgets.php.

At the beginning of this function, the plugin processes the attacker-controlled site argument:

<?php
// In my-calendar-widgets.php
if ( $args['site'] ) {
    $args['site'] = ( 'global' === $args['site'] ) ? BLOG_ID_CURRENT_SITE : $args['site'];
    switch_to_blog( $args['site'] );
}

The plugin blindly passes the attacker's supplied site ID into WordPress core's switch_to_blog() function without checking if the requesting user has the appropriate network-level privileges (e.g., Super Admin).

On Multisite configurations, the...