Vulnerabilities and security researches formy-calendar my-calendar

Direction: descending

Jun 16, 2026

My Calendar # 6acc3366fe7e5211b6aca600bcba7dc59460b3a1

CVE, Research URL: 6acc3366fe7e5211b6aca600bcba7dc59460b3a1
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Jul 18, 2022
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.3.17 My Calendar <= 3.3.16 - Administrator+ Stored Cross-Site Scripting The My Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via various parameters including the ‘street’ parameter in versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.3.17.
Status: vulnerable

My Calendar # fdb3f189338b2d4afc58a13fc22309caacac471c

CVE, Research URL: fdb3f189338b2d4afc58a13fc22309caacac471c
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Aug 02, 2022
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.3.17 WordPress My Calendar plugin <= 3.3.16 - Unauthenticated Open Redirect vulnerability Unauthenticated Open Redirect vulnerability discovered by Dan Kegel in WordPress My Calendar plugin (versions <= 3.3.16). Update the WordPress My Calendar plugin to the latest available version (at least 3.3.17).
Affected versions: max 3.3.17.
Status: vulnerable

My Calendar # e56c726edc80e9d6a1ca010ba0230a895ac91948

CVE, Research URL: e56c726edc80e9d6a1ca010ba0230a895ac91948
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 04, 2018
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.5.17 My Calendar <= 2.5.16 - Authenticated Stored Cross-Site Scripting The My Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_time_label’ parameter in versions up to, and including, 2.6.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.5.17.
Status: vulnerable

My Calendar # 2b9cc8a42a7d5bd8c6ab38da456950585d352eb5

CVE, Research URL: 2b9cc8a42a7d5bd8c6ab38da456950585d352eb5
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 20, 2015
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.10 My Calendar < 2.3.10 - Reflected Cross-Site Scripting The My Calendar plugin for WordPress is vulnerable to Cross-Site Scripting in versions before 2.3.10 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser.
Affected versions: max 2.3.10.
Status: vulnerable

My Calendar # 98a40c98b3e52a23785b3900ba4563314f21764c

CVE, Research URL: 98a40c98b3e52a23785b3900ba4563314f21764c
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 06, 2019
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.1.10 WordPress My Calendar plugin <= 3.1.9 - Unauthenticated Cross-Site Scripting (XSS) vulnerability Unauthenticated Cross-Site Scripting (XSS) vulnerability found by Andreas Hell in WordPress My Calendar plugin (versions <= 3.1.9).
Affected versions: max 3.1.10.
Status: vulnerable

My Calendar # a699bc187b1e52515ad6fa2d523506ac48415722

CVE, Research URL: a699bc187b1e52515ad6fa2d523506ac48415722
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 20, 2015
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.29 WordPress My Calendar Plugin <= 2.3.28 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 2.3.29.
Status: vulnerable

My Calendar # 0c2298fe4231edc362acf8a023a81f0b9a3c411c

CVE, Research URL: 0c2298fe4231edc362acf8a023a81f0b9a3c411c
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 15, 2015
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.30 My Calendar < 2.3.30 - Reflected Cross-Site Scripting The My Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘value’ parameter in versions before 2.3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 2.3.30.
Status: vulnerable

My Calendar # 7ec2558b1a68abfb56a73202c9427fee4df8f7b8

CVE, Research URL: 7ec2558b1a68abfb56a73202c9427fee4df8f7b8
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Jan 20, 2023
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.4.4 My Calendar <= 3.4.3 - Cross-Site Request Forgery The My Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 3.4.4.
Status: vulnerable

My Calendar # c3485d76b9ba3b87cd1619dcbbd4b691fb77b2c3

CVE, Research URL: c3485d76b9ba3b87cd1619dcbbd4b691fb77b2c3
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Nov 06, 2015
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.4.11 WordPress My Calendar Plugin 2.4.10 - Multiple Vulnerabilities My Calendar plugin is prone to multiple vulnerabilities, such as CSRF and XSS. Update the plugin.
Affected versions: max 2.4.11.
Status: vulnerable

My Calendar # 32ce7ff8ce4913b8673e806735238903ecef4079

CVE, Research URL: 32ce7ff8ce4913b8673e806735238903ecef4079
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 15, 2015
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.30 WordPress My Calendar Plugin <= 2.3.29 - Multiple Vulnerabilities This plugin is prone to a reflected XSS and arbitrary file override vulnerabilities. Because of them, attackers can override any existing file that is stored on the server or inject arbitrary JavaScript or HTML. Update this plugin.
Affected versions: max 2.3.30.
Status: vulnerable

My Calendar # 47ef35558fadbfca5646dbe92e092952f4ddd7a0

CVE, Research URL: 47ef35558fadbfca5646dbe92e092952f4ddd7a0
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 05, 2018
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.5.17 WordPress My Calendar plugin <=2.5.16 - Authenticated Cross-Site Scripting (XSS) vulnerability Authenticated Cross-Site Scripting (XSS) vulnerability found in WordPress My Calendar plugin (versions <=2.5.16).
Affected versions: max 2.5.17.
Status: vulnerable

My Calendar # 1b5d555c435278e0c5b11486f75e0e7a4556c983

CVE, Research URL: 1b5d555c435278e0c5b11486f75e0e7a4556c983
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 15, 2015
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.30 My Calendar <= 2.3.29 - Path Traversal to Remote Code Execution The My Calendar plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 2.3.29 via the 'edit_my_calendar_styles' function in the 'my-calendar-styles.php' file. This allows unauthenticated attackers to overwrite the contents of all files the vulnerable service has access to, including adding executable PHP to PHP files.
Affected versions: max 2.3.30.
Status: vulnerable

My Calendar # 1886eb1db8aa9adf0a53533cf1f66b0bec8f6bc4

CVE, Research URL: 1886eb1db8aa9adf0a53533cf1f66b0bec8f6bc4
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Jan 03, 2023
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.3.25 My Calendar <= 3.3.24.1 - Cross-Site Request Forgery The My Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.24.1. This is due to missing or incorrect nonce validation on several functions handling the deletion of events and locations. This makes it possible for unauthenticated attackers to remove events or locations, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 3.3.25.
Status: vulnerable

My Calendar # 39459852-324e-4e8d-93d1-18fb3f41f749

CVE, Research URL: 39459852-324e-4e8d-93d1-18fb3f41f749
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: -
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.30 My Calendar <= 2.3.29 - Arbitrary File Override & Reflected XSS The file override vulnerability allows an admin to override any file on the web server, ignoring settings such as DISALLOW_FILE_EDIT.
Affected versions: max 2.3.30.
Status: vulnerable

My Calendar # bde4f31062c4e929459e32daf53ed3bdda188112

CVE, Research URL: bde4f31062c4e929459e32daf53ed3bdda188112
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Feb 11, 2024
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.4.24 My Calendar <= 3.4.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode The My Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.4.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with, contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.4.24.
Status: vulnerable

My Calendar # ae279565ffb6079026256a60335315e56ecd917a

CVE, Research URL: ae279565ffb6079026256a60335315e56ecd917a
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Feb 11, 2024
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 3.4.24 My Calendar <= 3.4.23 - Authenticated (Admin+) Stored Cross-Site Scripting via Events The My Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via events in all versions up to, and including, 3.4.23 due to insufficient input sanitization and output escaping on event dates. This makes it possible for authenticated attackers with, admin-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.4.24.
Status: vulnerable

My Calendar # 03e970f0-5c80-4bfa-9ea8-d1555599dae9

CVE, Research URL: 03e970f0-5c80-4bfa-9ea8-d1555599dae9
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: -
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.5.17 My Calendar <= 2.5.16 - Authenticated Cross-Site Scripting (XSS) An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel. In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
Affected versions: max 2.5.17.
Status: vulnerable

My Calendar # be9da608-bfa3-4c1e-af14-2a393d770a64

CVE, Research URL: be9da608-bfa3-4c1e-af14-2a393d770a64
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: -
Research Description: My Calendar – Accessible Event Manager [my-calendar] < 2.3.29 My Calendar <= 2.3.28 - Cross-Site Scripting (XSS) The My Calendar WordPress plugin was affected by a Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 2.3.29.
Status: vulnerable

Jun 13, 2026

My Calendar # CVE-2026-40308

CVE, Research URL: CVE-2026-40308
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 17, 2026
Research Description: My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
Affected versions: max 3.7.7.
Status: vulnerable

May 15, 2026

My Calendar # CVE-2026-7525

CVE, Research URL: CVE-2026-7525
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 14, 2026
Research Description: The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.
Affected versions: max 3.7.10.
Status: vulnerable

Apr 15, 2026

My Calendar # CVE-2026-2355

CVE, Research URL: CVE-2026-2355
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Mar 04, 2026
Research Description: The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.7.4.
Status: vulnerable

Dec 11, 2025

My Calendar # CVE-2025-67592

CVE, Research URL: CVE-2025-67592
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Dec 09, 2025
Research Description: Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Calendar: from n/a through <= 3.6.16.
Affected versions: max 3.6.17.
Status: vulnerable

Jun 10, 2024

My Calendar # CVE-2022-36371

CVE, Research URL: CVE-2022-36371
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: -
Research Description: The My Calendar plugin for WordPress is vulnerable to Open Redirection in versions up to, and including, 3.3.16. This makes it possible for unauthenticated attackers to create links that look to be part of an affected site, but will redirect to the attacker's target. This vulnerability can be utilized for malicious redirection and can also be used for phishing.
Affected versions: max 3.3.16.
Status: vulnerable

Jun 07, 2024

My Calendar # CVE-2012-6527

CVE, Research URL: CVE-2012-6527
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Jan 31, 2013
Research Description: Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Affected versions: max 1.10.5.
Status: vulnerable

My Calendar # CVE-2021-24927

CVE, Research URL: CVE-2021-24927
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Nov 29, 2021
Research Description: The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
Affected versions: max 3.2.18.
Status: vulnerable

My Calendar # CVE-2019-15713

CVE, Research URL: CVE-2019-15713
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Aug 28, 2019
Research Description: The my-calendar plugin before 3.1.10 for WordPress has XSS.
Affected versions: max 3.1.10.
Status: vulnerable

My Calendar # CVE-2022-47427

CVE, Research URL: CVE-2022-47427
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Mar 15, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.3.24.1 versions.
Affected versions: max 3.3.25.
Status: vulnerable

My Calendar # CVE-2023-23813

CVE, Research URL: CVE-2023-23813
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: May 22, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.4.3 versions.
Affected versions: max 3.4.4.
Status: vulnerable

My Calendar # CVE-2024-1274

CVE, Research URL: CVE-2024-1274
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Apr 02, 2024
Research Description: The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
Affected versions: max 3.4.24.
Status: vulnerable

My Calendar # CVE-2023-6360

CVE, Research URL: CVE-2023-6360
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Nov 30, 2023
Research Description: The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
Affected versions: max 3.4.22.
Status: vulnerable

My Calendar # CVE-2024-25916

CVE, Research URL: CVE-2024-25916
Home page URL: Security reports for My Calendar
Application: My Calendar
Date: Mar 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23.
Affected versions: max 3.4.24.
Status: vulnerable