CVE-2026-1987

Published: Feb 14, 2026Modified: Feb 18, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability: 2.8 / Impact: 2.5

Source: security@wordfence.com

Description

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://cwe.mitre.org/data/definitions/639.html

Source: security@wordfence.com

https://cwe.mitre.org/data/definitions/862.html

Source: security@wordfence.com

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve

Source: security@wordfence.com

Timeline

No history available yet.