Vulnerabilities and security researches forthe-events-calendar the-events-calendar

Direction: ascending

Jun 07, 2024

The Events Calendar # CVE-2019-15109

CVE, Research URL: CVE-2019-15109
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Aug 21, 2019
Research Description: The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter.
Affected versions: max 4.8.2.
Status: vulnerable

The Events Calendar # CVE-2023-6203

CVE, Research URL: CVE-2023-6203
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Dec 19, 2023
Research Description: The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request
Affected versions: max 6.2.8.1.
Status: vulnerable

The Events Calendar # CVE-2023-6557

CVE, Research URL: CVE-2023-6557
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Feb 06, 2024
Research Description: The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts.
Affected versions: max 6.2.9.
Status: vulnerable

The Events Calendar # CVE-2024-31433

CVE, Research URL: CVE-2024-31433
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Apr 15, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in StellarWP The Events Calendar the-events-calendar.This issue affects The Events Calendar: from n/a through <= 6.3.0.
Affected versions: max 6.3.1.
Status: vulnerable

The Events Calendar # CVE-2024-4180

CVE, Research URL: CVE-2024-4180
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jun 04, 2024
Research Description: The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.
Affected versions: max 6.4.0.1.
Status: vulnerable

The Events Calendar # CVE-2024-1295

CVE, Research URL: CVE-2024-1295
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jun 14, 2024
Research Description: The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)
Affected versions: max 6.4.0.1.
Status: vulnerable

Jun 10, 2024

The Events Calendar # CVE-2023-35777

CVE, Research URL: CVE-2023-35777
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in The Events Calendar The Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through 6.1.2.2.
Affected versions: max 6.1.3.
Status: vulnerable

Jul 08, 2024

The Events Calendar # CVE-2024-37518

CVE, Research URL: CVE-2024-37518
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jan 02, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in StellarWP The Events Calendar the-events-calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through <= 6.5.1.4.
Affected versions: max 6.5.1.5.
Status: vulnerable

Jul 24, 2024

The Events Calendar # CVE-2024-6931

CVE, Research URL: CVE-2024-6931
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Sep 27, 2024
Research Description: The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 6.6.4.
Status: vulnerable

Sep 26, 2024

The Events Calendar # CVE-2024-8275

CVE, Research URL: CVE-2024-8275
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Sep 25, 2024
Research Description: The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only sites that have manually added tribe_has_next_event() will be vulnerable to this SQL injection.
Affected versions: max 6.6.4.1.
Status: vulnerable

Oct 12, 2024

The Events Calendar # CVE-2024-8493

CVE, Research URL: CVE-2024-8493
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: May 16, 2025
Research Description: The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 6.6.4.
Status: vulnerable

Nov 14, 2024

The Events Calendar # CVE-2022-4974

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 5.14.0.4.
Status: vulnerable

Dec 17, 2024

The Events Calendar # CVE-2024-5333

CVE, Research URL: CVE-2024-5333
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Dec 16, 2024
Research Description: The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.
Affected versions: max 6.8.2.1.
Status: vulnerable

Jan 23, 2025

The Events Calendar # CVE-2024-12118

CVE, Research URL: CVE-2024-12118
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jan 23, 2025
Research Description: The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 6.9.1.
Status: vulnerable

Jan 28, 2025

The Events Calendar # CVE-2025-24537

CVE, Research URL: CVE-2025-24537
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jan 27, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in StellarWP The Events Calendar the-events-calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through <= 6.7.0.
Affected versions: max 6.7.1.
Status: vulnerable

Jun 15, 2025

The Events Calendar # CVE-2025-5144

CVE, Research URL: CVE-2025-5144
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jun 11, 2025
Research Description: The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 6.13.2.1.
Status: vulnerable

Dec 10, 2025

The Events Calendar # CVE-2025-12197

CVE, Research URL: CVE-2025-12197
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Nov 05, 2025
Research Description: The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 6.15.10.
Status: vulnerable

The Events Calendar # CVE-2025-12175

CVE, Research URL: CVE-2025-12175
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Oct 31, 2025
Research Description: The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.
Affected versions: max 6.15.10.
Status: vulnerable

The Events Calendar # CVE-2025-12192

CVE, Research URL: CVE-2025-12192
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Nov 05, 2025
Research Description: The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.
Affected versions: max 6.15.10.
Status: vulnerable

Jan 27, 2026

The Events Calendar # CVE-2025-15043

CVE, Research URL: CVE-2025-15043
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jan 20, 2026
Research Description: The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.
Affected versions: max 6.15.13.1.
Status: vulnerable

The Events Calendar # CVE-2025-69352

CVE, Research URL: CVE-2025-69352
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jan 06, 2026
Research Description: Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2.
Affected versions: max 6.15.13.
Status: vulnerable

Apr 14, 2026

The Events Calendar # CVE-2026-3585

CVE, Research URL: CVE-2026-3585
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Mar 10, 2026
Research Description: The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions: max 6.15.17.1.
Status: vulnerable

The Events Calendar # CVE-2026-2694

CVE, Research URL: CVE-2026-2694
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Feb 26, 2026
Research Description: The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.
Affected versions: max 6.15.16.1.
Status: vulnerable

Apr 24, 2026

The Events Calendar # CVE-2025-9808

CVE, Research URL: CVE-2025-9808
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Sep 16, 2025
Research Description: The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues.
Affected versions: max 6.15.3.
Status: vulnerable

The Events Calendar # CVE-2025-9807

CVE, Research URL: CVE-2025-9807
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Sep 12, 2025
Research Description: The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 6.15.1.1.
Status: vulnerable

Jun 14, 2026

The Events Calendar # CVE-2023-33999

CVE, Research URL: CVE-2023-33999
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jun 11, 2026
Research Description: Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions: max 6.1.0.
Status: vulnerable

The Events Calendar # CVE-2025-48246

CVE, Research URL: CVE-2025-48246
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: May 19, 2025
Research Description: Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.11.2.1.
Affected versions: max 6.12.0.
Status: vulnerable

Jun 16, 2026

The Events Calendar # 435ca477c702984e66ef2ae934c9f346535a5cf7

CVE, Research URL: 435ca477c702984e66ef2ae934c9f346535a5cf7
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Aug 01, 2023
Research Description: The Events Calendar [the-events-calendar] < 3.0.1 WordPress The Events Calendar Plugin <= 3.0 is vulnerable to Cross Site Scripting (XSS) Update the plugin. An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress The Events Calendar Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.0.1.
Affected versions: max 3.0.1.
Status: vulnerable

The Events Calendar # 2c9e62f0747b35661e5a3b5c5676939983b8c1de

CVE, Research URL: 2c9e62f0747b35661e5a3b5c5676939983b8c1de
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Feb 28, 2022
Research Description: The Events Calendar [the-events-calendar] < 5.14.0.4 WordPress The Events Calendar plugin < 5.14.0.4 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress The Events Calendar plugin (versions < 5.14.0.4).
Affected versions: max 5.14.0.4.
Status: vulnerable

The Events Calendar # 6d8910c719b2a132ec93828cd37e418b19cac960

CVE, Research URL: 6d8910c719b2a132ec93828cd37e418b19cac960
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Mar 04, 2022
Research Description: The Events Calendar [the-events-calendar] < 5.14.0.4 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 5.14.0.4.
Status: vulnerable

The Events Calendar # e952ff0d125fc56920848e49905ef66616e150e1

CVE, Research URL: e952ff0d125fc56920848e49905ef66616e150e1
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Aug 01, 2014
Research Description: The Events Calendar [the-events-calendar] < 3.0.1 WordPress The Events Calendar Plugin <= 3.0 - Reflected Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 3.0.1.
Status: vulnerable

The Events Calendar # 05dcb3501757a6e40b61e256ab88a44c8f6576df

CVE, Research URL: 05dcb3501757a6e40b61e256ab88a44c8f6576df
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Apr 25, 2023
Research Description: The Events Calendar [the-events-calendar] < 4.1.1.1 WordPress The Events Calendar Plugin <= 4.1.1 is vulnerable to Open Redirection Update the plugin. Paul Mynarsky discovered and reported this Open Redirection vulnerability in WordPress The Events Calendar Plugin. This could allow a malicious actor to redirect users from one site to the other due to the redirect URL not being validated. Users could be tricked to visiting a legitimate site to then be redirected to a malicious site and cause a phishing incident. This vulnerability has been fixed in version 4.1.1.1.
Affected versions: max 4.1.1.1.
Status: vulnerable

The Events Calendar # a61233d4c512052f4ec67d4ea39c1bb30a4091ac

CVE, Research URL: a61233d4c512052f4ec67d4ea39c1bb30a4091ac
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Feb 28, 2022
Research Description: The Events Calendar [the-events-calendar] < 5.14.0.4 WordPress The Events Calendar plugin < 5.14.0.4 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress The Events Calendar plugin (versions < 5.14.0.4).
Affected versions: max 5.14.0.4.
Status: vulnerable

The Events Calendar # 83bc58b6c2554ddddd6a3e5778ff934cf47bf128

CVE, Research URL: 83bc58b6c2554ddddd6a3e5778ff934cf47bf128
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Feb 28, 2023
Research Description: The Events Calendar [the-events-calendar] < 5.14.0.4 WordPress The Events Calendar Plugin < 5.14.0.4 is vulnerable to Cross Site Request Forgery (CSRF) Update the WordPress The Events Calendar plugin to the latest available version (at least 5.14.0.4). An unknown person discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress The Events Calendar Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 5.14.0.4.
Affected versions: max 5.14.0.4.
Status: vulnerable

The Events Calendar # 3b974251c4a571efab932fdc05a0c1f920c8c6d5

CVE, Research URL: 3b974251c4a571efab932fdc05a0c1f920c8c6d5
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Apr 25, 2016
Research Description: The Events Calendar [the-events-calendar] < 4.1.1.1 The Events Calendar < 4.1.1.1 - Open Redirect The Events Calendar plugin for WordPress is vulnerable to an open redirect vulnerability in versions before 4.1.1.1. This allows attackers to redirect victims to an untrusted site via a crafted link on a vulnerable trusted site.
Affected versions: max 4.1.1.1.
Status: vulnerable

The Events Calendar # a0bc6292a861b8ea327629208d78b4715e64de2e

CVE, Research URL: a0bc6292a861b8ea327629208d78b4715e64de2e
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Apr 25, 2016
Research Description: The Events Calendar [the-events-calendar] < 4.1.1.1 WordPress The Events Calendar Plugin <= 4.1.1 - Open Redirection This plugin is prone to an open redirection vulnerability in the "tribe-bar-view" parameter. Update the plugin.
Affected versions: max 4.1.1.1.
Status: vulnerable

The Events Calendar # 6dae6dca-7474-4008-9fe5-4c62b9f12d0a

CVE, Research URL: 6dae6dca-7474-4008-9fe5-4c62b9f12d0a
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: -
Research Description: The Events Calendar [the-events-calendar] < 5.14.0.4 Unauthorised AJAX Calls via Freemius The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in admin toggle the debug mode via a CSRF attack.
Affected versions: max 5.14.0.4.
Status: vulnerable

The Events Calendar # fddc71c551ebe927af92f1987a72062b38c04610

CVE, Research URL: fddc71c551ebe927af92f1987a72062b38c04610
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Feb 28, 2023
Research Description: The Events Calendar [the-events-calendar] < 5.14.0.4 WordPress The Events Calendar Plugin < 5.14.0.4 is vulnerable to Sensitive Data Exposure Update the WordPress The Events Calendar plugin to the latest available version (at least 5.14.0.4). An unknown person discovered and reported this Sensitive Data Exposure vulnerability in WordPress The Events Calendar Plugin. This vulnerability has been fixed in version 5.14.0.4.
Affected versions: max 5.14.0.4.
Status: vulnerable

The Events Calendar # 533f213b-9fb7-47da-a42c-780aea3aee11

CVE, Research URL: 533f213b-9fb7-47da-a42c-780aea3aee11
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: -
Research Description: The Events Calendar [the-events-calendar] < 5.14.0 The Events Calendar < 5.14.0 - Reflected Cross-Site Scripting The plugin does not escape an aggregator URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting
Affected versions: max 5.14.0.
Status: vulnerable

The Events Calendar # 59acb0f7-9150-44bd-ba1f-cd944b56ff41

CVE, Research URL: 59acb0f7-9150-44bd-ba1f-cd944b56ff41
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: -
Research Description: The Events Calendar [the-events-calendar] < 4.1.1.1 The Events Calendar <= 4.1.1 - Open Redirect The problem is located in the "tribe-bar-view" parameter that can be used to redirect a user to an arbitrary website. Timeline * 2016-04-04 : Initial contact with Modern Tribe * 2016-04-05 : Modern Tribe confirms the report * 2016-04-07 : Modern Tribe publishes a new version (4.1.1.1) that resolves the issue
Affected versions: max 4.1.1.1.
Status: vulnerable

The Events Calendar # 392171a3fe3230ecf0fc8e8d795071740c32dffe

CVE, Research URL: 392171a3fe3230ecf0fc8e8d795071740c32dffe
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Nov 20, 2023
Research Description: The Events Calendar [the-events-calendar] < 6.2.8.1 The Events Calendar <= 6.2.8 - Information Disclosure The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.2.8 via the get_data function. This makes it possible for unauthenticated attackers to extract sensitive data including private post content, via the REST API.
Affected versions: max 6.2.8.1.
Status: vulnerable

The Events Calendar # 57c478a8-9a2d-4f0b-9f9a-9f78b92abf69

CVE, Research URL: 57c478a8-9a2d-4f0b-9f9a-9f78b92abf69
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: -
Research Description: The Events Calendar [the-events-calendar] < 3.0.1 The Events Calendar <= 3.0 - Reflected Cross-Site Scripting (XSS) The The Events Calendar WordPress plugin was affected by a Reflected Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 3.0.1.
Status: vulnerable

The Events Calendar # cb4ccc2c1070be47b4b666568c12ef9bfb6e07d6

CVE, Research URL: cb4ccc2c1070be47b4b666568c12ef9bfb6e07d6
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Nov 22, 2023
Research Description: The Events Calendar [the-events-calendar] < 6.2.8.1 WordPress The Events Calendar Plugin < 6.2.8.1 is vulnerable to Sensitive Data Exposure Update the WordPress Event Single Page Templates Addon For The Events Calendar plugin to the latest available version (at least 6.2.8.1). Unknown discovered and reported this Sensitive Data Exposure vulnerability in WordPress The Events Calendar Plugin. This vulnerability has been fixed in version 6.2.8.1.
Affected versions: max 6.2.8.1.
Status: vulnerable

The Events Calendar # CVE-2026-49772

CVE, Research URL: CVE-2026-49772
Home page URL: Security reports for The Events Calendar
Application: The Events Calendar
Date: Jun 16, 2026
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
Affected versions: max 6.16.3.
Status: vulnerable