Vulnerabilities and security researches forthe-events-calendar the-events-calendar
Direction: descendingJun 15, 2025
The Events Calendar # CVE-2025-5144
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 11, 2025
- Research Description
- The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 6.13.2.1.
- Status
-
vulnerable
Jan 28, 2025
The Events Calendar # CVE-2025-24537
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 27, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery. This issue affects The Events Calendar: from n/a through 6.7.0.
- Affected versions
-
max 6.7.1.
- Status
-
vulnerable
Jan 23, 2025
The Events Calendar # CVE-2024-12118
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 23, 2025
- Research Description
- The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 6.9.1.
- Status
-
vulnerable
Dec 17, 2024
The Events Calendar # CVE-2024-5333
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 16, 2024
- Research Description
- The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.
- Affected versions
-
max 6.8.2.1.
- Status
-
vulnerable
Nov 14, 2024
The Events Calendar # CVE-2022-4974
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 5.14.0.4.
- Status
-
vulnerable
Oct 12, 2024
The Events Calendar # CVE-2024-8493
- CVE, Research URL
- Home page URL
- Application
- Date
- May 16, 2025
- Research Description
- The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- Affected versions
-
max 6.6.4.
- Status
-
vulnerable
Sep 26, 2024
The Events Calendar # CVE-2024-8275
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 25, 2024
- Research Description
- The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only sites that have manually added tribe_has_next_event() will be vulnerable to this SQL injection.
- Affected versions
-
max 6.6.4.1.
- Status
-
vulnerable
Jul 24, 2024
The Events Calendar # CVE-2024-6931
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 27, 2024
- Research Description
- The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 6.6.4.
- Status
-
vulnerable
Jul 08, 2024
The Events Calendar # CVE-2024-37518
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 02, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through 6.5.1.4.
- Affected versions
-
max 6.5.1.5.
- Status
-
vulnerable
Jun 10, 2024
The Events Calendar # CVE-2023-35777
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 13, 2024
- Research Description
- Missing Authorization vulnerability in The Events Calendar The Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through 6.1.2.2.
- Affected versions
-
max 6.2.8.1.
- Status
-
vulnerable
Jun 07, 2024
The Events Calendar # CVE-2019-15109
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 21, 2019
- Research Description
- The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter.
- Affected versions
-
max 5.14.0.4.
- Status
-
vulnerable
The Events Calendar # CVE-2023-6203
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 19, 2023
- Research Description
- The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request
- Affected versions
-
max 6.2.8.1.
- Status
-
vulnerable
The Events Calendar # CVE-2023-6557
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 06, 2024
- Research Description
- The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts.
- Affected versions
-
max 6.2.9.
- Status
-
vulnerable
The Events Calendar # CVE-2024-31433
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 15, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar.This issue affects The Events Calendar: from n/a through 6.3.0.
- Affected versions
-
max 6.3.1.
- Status
-
vulnerable
The Events Calendar # CVE-2024-4180
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 04, 2024
- Research Description
- The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.
- Affected versions
-
max 6.4.0.1.
- Status
-
vulnerable
The Events Calendar # CVE-2024-1295
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 14, 2024
- Research Description
- The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)
- Affected versions
-
max 6.4.0.1.
- Status
-
vulnerable