The Events Calendar < 6.4.0.1 - Cross-site Scripting

The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...

VulnCheck KEV: CVE-2025-9807

The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...

WordPress The Events Calendar plugin <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import vulnerability

Authenticated Author+ Arbitrary File Read via ajaxcreateimport vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin The Events Calendar versions = 6.15.17...

CVE-2026-3585

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

PT-2026-24176

Name of the Vulnerable Software and Affected Versions The Events Calendar plugin for WordPress versions prior to 6.15.18 Description The Events Calendar plugin for WordPress is susceptible to a Path Traversal issue in versions up to and including 6.15.17. This allows authenticated attackers with...

EUVD-2026-8745

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'canedit' and 'candelete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with...

CVE-2026-1922

The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ecs-list-events shortcode message attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-24988

CVE-2026-24988 concerns a Stored XSS in WordPress plugin The Events Calendar Shortcode & Block, affected through version 3.1.1. The root cause is improper input handling during web-page generation (improper neutralization of input), enabling injection of malicious scripts. Multiple sources (Red H...

WordPress Add infos to the events calendar plugin <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Add infos to the events calendar versions = 1.4.1...

CVE-2025-15043

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'startmigration', 'cancelmigration', and 'revertmigration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with...

CVE-2025-15043

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'startmigration', 'cancelmigration', and 'revertmigration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with...

CVE-2025-15043 The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'startmigration', 'cancelmigration', and 'revertmigration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with...

CVE-2025-69348 WordPress The Events Calendar Countdown Addon plugin <= 1.4.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through = 1.4.15...

WordPress Plugin The Events Calendar Information Disclosure Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. WordPress plugin The Events Calendar has an information disclosure vulnerability, the...

CVE-2025-12192

The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain t...

CVE-2025-12197

The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticat...

WordPress The Events Calendar plugin <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure vulnerability

Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure vulnerability discovered by mikemyers in WordPress Plugin The Events Calendar versions = 6.15.9...

PT-2025-45099

Name of the Vulnerable Software and Affected Versions The Events Calendar plugin for WordPress versions through 6.15.9 Description The Events Calendar plugin for WordPress has an information disclosure issue. The sysinfo REST endpoint performs a weak comparison between the provided key and the...

PT-2025-45070

Name of the Vulnerable Software and Affected Versions The Events Calendar plugin for WordPress versions 6.15.1.1 through 6.15.9 Description The Events Calendar plugin for WordPress is susceptible to a blind SQL injection issue. This is due to inadequate escaping of user-provided input and...

CVE-2025-12175

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tecqrcodemodal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to vi...