CVE-2026-1987

Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification

CVSS 5.4 MEDIUMEPSS 0.3%CWE-639

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Affected products

morelmathieuj · Scheduler Widget

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cwe.mitre.org/data/definitions/639.html https://cwe.mitre.org/data/definitions/862.html https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158 https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158 https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve