Calendar
by WordPress
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2314 | Cri | 0.65 | 9.8 | 0.12 | Aug 15, 2022 | The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site. | ||
| CVE-2024-2831 | Hig | 0.57 | 8.8 | 0.01 | May 2, 2024 | The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it… | ||
| CVE-2024-3756 | Hig | 0.49 | 7.5 | 0.00 | May 6, 2024 | The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack | ||
| CVE-2025-14548 | Med | 0.42 | 6.4 | 0.00 | Dec 23, 2025 | The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with… | ||
| CVE-2024-3755 | Med | 0.35 | 5.4 | 0.00 | May 6, 2024 | The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | ||
| CVE-2013-2698 | 0.00 | — | 0.01 | May 27, 2014 | Cross-site request forgery (CSRF) vulnerability in the Calendar plugin before 1.3.3 for WordPress allows remote attackers to hijack the authentication of users for requests that add a calendar entry via unspecified vectors. |
- risk 0.65cvss 9.8epss 0.12
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
- risk 0.57cvss 8.8epss 0.01
The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…
- risk 0.49cvss 7.5epss 0.00
The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack
- risk 0.42cvss 6.4epss 0.00
The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
- risk 0.35cvss 5.4epss 0.00
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- CVE-2013-2698May 27, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Calendar plugin before 1.3.3 for WordPress allows remote attackers to hijack the authentication of users for requests that add a calendar entry via unspecified vectors.