Unrated severityNVD Advisory· Published Oct 16, 2014· Updated May 6, 2026

CVE-2014-7138

Description

Cross-site scripting (XSS) vulnerability in the Google Calendar Events plugin before 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gce_feed_ids parameter in a gce_ajax action to wp-admin/admin-ajax.php.

Affected products

Google Calendar Events Project/Google Calendar Events
cpe:2.3:a:google_calendar_events_project:google_calendar_events:*:*:*:*:*:wordpress:*:*
Range: <=2.0.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/128626/WordPress-Google-Calendar-Events-2.0.1-Cross-Site-Scripting.htmlnvdExploit
www.htbridge.com/advisory/HTB23235nvdExploit
github.com/pderksen/WP-Google-Calendar-Events/commit/a701ceeb410bdda9d96c9d3d12104630df5d5b43nvdVendor Advisory
wordpress.org/plugins/google-calendar-events/changelognvdVendor Advisory
www.securityfocus.com/archive/1/533640/100/0/threadednvd
www.securityfocus.com/bid/70370nvd
exchange.xforce.ibmcloud.com/vulnerabilities/96867nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000