WordPress My Calendar <= 3.1.9 - Cross-Site Scripting

WordPress plugin My Calendar = 3.1.10 or apply the vendor-provided patch to fix the XSS vulnerability. reference: - https://wpscan.com/vulnerability/9267 - https://wordpress.org/plugins/my-calendar/developers - https://nvd.nist.gov/vuln/detail/CVE-2019-15713 -...

CVE-2026-7525

The CVE pertains to WordPress plugin My Calendar – Accessible Event Manager (versions ≤ 3.7.9). It describes an authorization bypass: authenticated users with custom-level access can tamper with the POST body (e.g., event_approved) to publish events or set statuses (cancelled, private) beyond the...

GHSA-2MVX-F5QM-V2CH Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar

Summary An unauthenticated Insecure Direct Object Reference IDOR and Denial of Service DoS vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events including private or hidden ones from any sub-site on a WordPress Multisite network. On standard Single Sit...

PT-2026-33370

Name of the Vulnerable Software and Affected Versions My Calendar versions prior to 3.7.7 Description An unauthenticated issue exists in the 'mc ajax mcjs action' AJAX endpoint, which is registered for unauthenticated users. The endpoint passes user-supplied arguments through the parse str functi...

CVE-2026-2355

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

CVE-2026-2355

The CVE tracks a Stored XSS in The My Calendar – Accessible Event Manager plugin for WordPress. Affects all versions up to 3.7.3 via the shortcode [my_calendar_upcoming] template attribute. Root cause: stripcslashes decodes C-style hex escapes at render time, bypassing wp_kses_post at save time. ...

CVE-2026-2355 My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

WordPress plugin My Calendar – Accessible Event Manager 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-22900

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the my calendar upcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

EUVD-2021-11839

Malware in sbrugna...

EUVD-2022-50189

Malicious code in bioql PyPI...

CVE-2024-1274

The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks depending on the permissions set by the admin...

CVE-2023-23813

Cross-Site Request Forgery CSRF vulnerability in Joseph C Dolson My Calendar plugin = 3.4.3 versions...

CVE-2022-47427

Cross-Site Request Forgery CSRF vulnerability in Joseph C Dolson My Calendar plugin = 3.3.24.1 versions...

CVE-2021-24927

The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mcpostlookup AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue...

CVE-2019-15713

The my-calendar plugin before 3.1.10 for WordPress has XSS...

WordPress My Calendar plugin < 3.4.24 - Authenticated Stored XSS vulnerability

Authenticated Stored XSS vulnerability discovered by cyc707 in WordPress Plugin My Calendar versions 3.4.24...

CVE-2024-25916

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23...

PT-2023-7555 · WordPress · Wordpress Calendar Plugin

Name of the Vulnerable Software and Affected Versions: My Calendar WordPress Plugin version 3.4.22 Description: The issue is related to an unauthenticated SQL injection vulnerability. This vulnerability is present in the from and to parameters in the "/my-calendar/v1/events" rest route. It allows...

CVE-2023-23813

Cross-Site Request Forgery CSRF vulnerability in Joseph C Dolson My Calendar plugin = 3.4.3 versions...