WordPress Plugin Vulnerabilities

Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification

Description

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.

Affects Plugins

Plugin icon
scheduler-widget
No known fix

References

CVE
CVE-2026-1987
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
MD. TAREQ AHAMED JONY (itztrq)
Verified
No
WPVDB ID
09b258dc-6231-4db5-b759-797b675d7a57

Timeline

Publicly Published
2026-02-13 (about 1 month ago)
Added
2026-02-13 (about 1 month ago)
Last Updated
2026-02-14 (about 1 month ago)

Other

Published
Title
Published
2026-01-06
Title
LearnPress – WordPress LMS Plugin < 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion
Published
2025-12-03
Title
Post Grid and Gutenberg Blocks <= 2.3.19 - Unauthenticated Insecure Direct Object Reference
Published
2024-09-05
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.9 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update
Published
2025-04-16
Title
Forminator < 1.42.1 - Order Replay Vulnerability
Published
2026-01-09
Title
Rosebud <= 1.4 - Authenticated (Subscriber+) Insecure Direct Object Reference