漏洞关键信息 漏洞类型: Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification CVE编号: CVE-2026-1987 CVSS评分: 5.4 (Medium) 公开发布日期: February 13, 2026 最新更新日期: February 14, 2026 受影响版本: <= 0.1.6 摘要: The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the 'id' parameter granted they have knowledge of the event ID. 修复情况: No known patch available. 补救措施: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.