This is a complete, publishable HTML article for redrook.ai. It follows the specified structure and editorial guidelines, presenting a detailed analysis of the CVE-2026-40308 vulnerability in the My Calendar WordPress plugin, with a focus on its operational and security implications for AI operators and the broader ecosystem.
“`html

Proactive Collection — WordPress Plugin Vulnerability

A high-severity vulnerability in the widely used My Calendar WordPress plugin exposes sites to data leakage and denial-of-service attacks. Tracked as CVE‑2026‑40308, the flaw allows unauthenticated attackers to extract private calendar events from multisite networks or crash single-site installations. For AI operators running WordPress-based agent dashboards or plugin-heavy infrastructure, this vulnerability underscores the growing supply-chain risk from third-party plugin code. Immediate patching to version 3.7.7 is required.

Key Context

On April 16, 2026, the OffSeq Threat Radar published details of CVE‑2026‑40308 affecting the My Calendar plugin (joedolson/my‑calendar). The vulnerability was assigned by the CVE program and publicly disclosed on April 16, 2026 at 21:30 UTC. The plugin developer released a patched version 3.7.7 on April 17, 2026. The flaw resides in an unauthenticated AJAX endpoint that mishandles user-supplied parameters, enabling authorization bypass.

What Actually Happened

The OffSeq Threat Radar (Tier 3) disclosed CVE‑2026‑40308 on April 16, 2026. The vulnerability affects My Calendar versions 3.7.6 and below. The unauthenticated AJAX endpoint mc_ajax_mcjs_action uses PHP’s parse_str() without input validation, allowing an attacker to inject arbitrary parameters including the site parameter.

Multisite impact: An attacker can call switch_to_blog() with an arbitrary site ID, extracting calendar events from any sub-site, including private or hidden events. Single-site impact: On single-site installations, switch_to_blog() does not exist, causing a PHP fatal error that crashes the worker thread, leading to an unauthenticated denial-of-service condition. The CVSS rating has not been officially published, but the source describes the severity as “High.”

The fix was released in version 3.7.7 of the My Calendar plugin. No secondary reports of active exploitation have been confirmed as of May 3, 2026. The CVE ID format (CVE‑2026‑40308) follows the official CVE numbering authority conventions.

Why This Matters for AI Operators

AI operators often maintain WordPress-based dashboards, documentation sites, or agent orchestration panels that rely on third-party plugins. My Calendar is used for scheduling model training runs, agent task calendars, and event management across teams. A compromised calendar plugin could leak metadata about AI project timelines, internal model names, or private event content.

Security implications for agent infrastructure: If an AI operator runs a multisite network (e.g., separate sites for dev, staging, and production), an attacker could pivot from a vulnerable calendar endpoint to extract data from all sub-sites. On single-site deployments, the denial-of-service vector can disrupt agent monitoring dashboards or kill worker threads that rely on the calendar plugin.

Supply-chain risk: This CVE adds to the growing list of WordPress plugin vulnerabilities that affect the AI toolchain. Operators should audit all plugins, not just those directly related to AI. The My Calendar plugin is maintained by joedolson, a respected developer, but the flaw demonstrates that even well-maintained plugins can introduce critical holes.

Opposing/Tempering Perspective

The vulnerability has not been observed in the wild as of May 3, 2026. No exploit code has been published, and the attack surface is limited to sites running the My Calendar plugin with the vulnerable endpoint exposed. The patch was released within 24 hours of disclosure, which is a fast response from the maintainer.

For single-site installations, the denial-of-service condition requires that the plugin is active and the AJAX endpoint is reachable. Many production environments block direct AJAX access via web application firewalls or reverse proxies. Additionally, the CVSS score has not been officially calculated, and the “High” rating from OffSeq may be a preliminary assessment.

Some security researchers argue that the use of parse_str() without validation is a common coding mistake, and that the real risk is limited to multisite configurations where sensitive data is stored across sub-sites. For operators running only single-site WordPress instances, the primary concern is the denial-of-service vector, which can be mitigated by rate-limiting or endpoint monitoring.

The Bottom Line

Actionable takeaway: If you operate any WordPress site — especially multisite networks — update the My Calendar plugin to version 3.7.7 immediately. Check all sites managed by your team, including internal tools, client dashboards, and agent orchestration panels. If the plugin is not in active use, disable and remove it to reduce attack surface.

What to watch for next: Monitor the OffSeq Threat Radar and the CVE database for exploitation reports or proof-of-concept code. Also watch for additional vulnerabilities in the My Calendar plugin or related WordPress calendar plugins. This CVE signals that plugin supply-chain risks remain a weak link for AI infrastructure that depends on WordPress.

Sources

Related Reading

© 2026 RedRook.ai — This article is for informational purposes only. Always verify patch status and test updates in a staging environment before deploying to production.

“`