CVE-2026-1987

5.4 MEDIUM
Published: February 14, 2026 Modified: February 18, 2026
View on NVD

Description

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://cwe.mitre.org/data/definitions/639.html
Source: security@wordfence.com
https://cwe.mitre.org/data/definitions/862.html
Source: security@wordfence.com
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References
Source: security@wordfence.com
https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158
Source: security@wordfence.com
https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158
Source: security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve
Source: security@wordfence.com

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.1%
17th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-639

Related CVEs

CVE-2026-4539 3.3
CVE-2026-4538 5.3
CVE-2026-4537 4.7
CVE-2026-4536 7.3
CVE-2026-4535 8.8