VYPR

The Events Calendar

by Theeventscalendar

Source repositories

CVEs (14)

  • CVE-2026-1922MedFeb 10, 2026
    risk 0.42cvss 6.4epss 0.00

    The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on…

  • CVE-2025-12197HigNov 5, 2025
    risk 0.42cvss 7.5epss 0.15

    The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-35777MedDec 13, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in The Events Calendar The Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through 6.1.2.2.

  • CVE-2026-2694MedFeb 25, 2026
    risk 0.28cvss 5.4epss 0.00

    The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for…

  • CVE-2025-15043MedJan 20, 2026
    risk 0.28cvss 5.4epss 0.00

    The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for…

  • CVE-2025-9808MedSep 16, 2025
    risk 0.28cvss 5.3epss 0.01

    The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues.

  • CVE-2025-12192MedNov 5, 2025
    risk 0.27cvss 5.3epss 0.00

    The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean…

  • CVE-2025-12175MedOct 31, 2025
    risk 0.21cvss 4.3epss 0.00

    The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2024-8275Sep 25, 2024
    risk 0.07cvss epss 0.50

    The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation…

  • CVE-2025-5144Jun 11, 2025
    risk 0.00cvss epss 0.00

    The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2024-5333Dec 16, 2024
    risk 0.00cvss epss 0.01

    The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.

  • CVE-2024-6931Sep 27, 2024
    risk 0.00cvss epss 0.17

    The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2024-8016Aug 30, 2024
    risk 0.00cvss epss 0.01

    The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with…

  • CVE-2024-4180Jun 4, 2024
    risk 0.00cvss epss 0.02

    The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.