Vulnerabilities and security researches forpretty-google-calendar pretty-google-calendar

Jun 06, 2024

CVE, Research URL: 108592b21ce378ea97ed3358701ef7d2d31d75db
Home page URL: Security reports for Pretty Google Calendar
Application: Pretty Google Calendar
Date: Sep 25, 2023
Research Description: Pretty Google Calendar [pretty-google-calendar] < 1.6.0 Pretty Google Calendar <= 1.5.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via pretty_google_calendar shortcode The Pretty Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.6.0.
Status: vulnerable

CVE, Research URL: CVE-2024-33640
Home page URL: Security reports for Pretty Google Calendar
Application: Pretty Google Calendar
Date: Apr 29, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LBell Pretty Google Calendar allows Stored XSS.This issue affects Pretty Google Calendar: from n/a through 1.7.2.
Affected versions: max 2.0.0.
Status: vulnerable

Jan 11, 2026

CVE, Research URL: CVE-2025-12898
Home page URL: Security reports for Pretty Google Calendar
Application: Pretty Google Calendar
Date: Dec 20, 2025
Research Description: The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
Affected versions: max 2.0.0.
Status: vulnerable