PT-2026-4373

Name of the Vulnerable Software and Affected Versions WP FullCalendar versions through 1.6 Description A flaw exists in WP FullCalendar that allows the retrieval of embedded sensitive data. This issue potentially exposes sensitive system information to unauthorized access. Recommendations Update ...

EUVD-2025-2680

Malicious code in bioql PyPI...

CVE-2025-22261

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marcus aka @msykes WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through = 1.5...

CVE-2025-22261

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marcus aka @msykes WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through = 1.5...

CVE-2025-22261 WordPress WP FullCalendar plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marcus aka @msykes WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through = 1.5...

CVE-2025-22261

CVE-2025-22261 is a real Stored Cross-Site Scripting vulnerability in the WP FullCalendar plugin for WordPress (wp-fullcalendar) affecting versions up to and including 1.5. The root cause is improper neutralization of user input during web page generation, allowing injected scripts to be stored a...

Design/Logic Flaw

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...

CVE-2022-3891 WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...

CVE-2022-3891

The CVE-2022-3891 entry concerns the WP FullCalendar WordPress plugin (pre-1.5). The vulnerability arises from insufficient access control on an AJAX endpoint, allowing unauthenticated attackers to retrieve content from arbitrary posts, including draft, private, or password-protected ones. Impact...

CVE-2022-3891 WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones. PoC Open the below URL as an...