Vulnerabilities and security researches formy-calendar my-calendar

Apr 15, 2026

CVE, Research URL: CVE-2026-2355
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Mar 04, 2026
Research Description: The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.7.4.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-67592
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Dec 09, 2025
Research Description: Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Calendar: from n/a through <= 3.6.16.
Affected versions: max 3.6.16.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2022-36371
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: -
Research Description: The My Calendar plugin for WordPress is vulnerable to Open Redirection in versions up to, and including, 3.3.16. This makes it possible for unauthenticated attackers to create links that look to be part of an affected site, but will redirect to the attacker's target. This vulnerability can be utilized for malicious redirection and can also be used for phishing.
Affected versions: max 3.3.16.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2012-6527
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Jan 31, 2013
Research Description: Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Affected versions: max 3.3.25.
Status: vulnerable

CVE, Research URL: CVE-2021-24927
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Nov 29, 2021
Research Description: The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
Affected versions: max 3.2.18.
Status: vulnerable

CVE, Research URL: CVE-2019-15713
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Aug 28, 2019
Research Description: The my-calendar plugin before 3.1.10 for WordPress has XSS.
Affected versions: max 3.1.10.
Status: vulnerable

CVE, Research URL: CVE-2022-47427
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Mar 15, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.3.24.1 versions.
Affected versions: max 3.4.4.
Status: vulnerable

CVE, Research URL: CVE-2023-23813
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 22, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.4.3 versions.
Affected versions: max 2.3.29.
Status: vulnerable

CVE, Research URL: CVE-2024-1274
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 02, 2024
Research Description: The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
Affected versions: max 3.4.24.
Status: vulnerable

CVE, Research URL: CVE-2023-6360
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Nov 30, 2023
Research Description: The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
Affected versions: max 3.4.24.
Status: vulnerable

CVE, Research URL: CVE-2024-25916
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Mar 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23.
Affected versions: max 3.4.24.
Status: vulnerable