9 matches found
CVE-2024-8275
The Events Calendar (WordPress plugin) is affected by CVE-2024-8275: an unauthenticated SQL injection via the order parameter in tribe_has_next_event() that affects all versions up to 6.6.4. The issue stems from insufficient escaping of user input and inadequate SQL query preparation, allowing an...
CVE-2024-5333
The Events Calendar WordPress plugin (vendor: stellarwp) before version 6.8.2.1 has missing access checks in its REST API, allowing unauthenticated users to access information about password-protected events. The NVD/Nuclei and related sources confirm this information disclosure vector with explo...
CVE-2025-5144
CVE-2025-5144 affects The Events Calendar plugin for WordPress. The issue is a DOM-based Stored Cross-Site Scripting vulnerability via the data-date-* parameters in all versions up to 6.13.2, caused by insufficient input sanitization and output escaping. Exploitation requires authentication at Co...
CVE-2023-6557
CVE-2023-6557 concerns The Events Calendar plugin for WordPress. Affected: The Events Calendar versions up to and including 6.2.8.2. Root cause: a route function hooked into wp_ajax_nopriv_tribe_dropdown allows unauthenticated access, enabling potential exposure of sensitive data such as post tit...
CVE-2024-4180
CVE-2024-4180 affects The Events Calendar WordPress plugin (versions before 6.4.0.1). The issue is an improper sanitization of user-submitted content when rendering certain AJAX views, which enables cross-site scripting (XSS) in the context of the affected site. Affected product and root cause ar...
CVE-2024-6931
The CVE pertains to WordPress The Events Calendar plugin. Affected: The Events Calendar plugin for WordPress, versions up to and including 6.6.3. Root cause: Stored Cross-Site Scripting via the RSVP name field due to insufficient input sanitization and output escaping. Impact: unauthenticated att...
CVE-2023-6203
The CVE concerns The Events Calendar WordPress plugin, specifically versions prior to 6.2.8.1. The vulnerability is an information disclosure where unauthenticated users can read the content of password-protected posts via a crafted request. The root cause is described across multiple sources as ...
CVE-2019-15109
The CVE-2019-15109 entry relates to WordPress plugin The Events Calendar (prior to version 4.8.2) and is caused by an XSS flaw in the tribe_paged URL parameter. Exploitation could enable client-side code execution. Affected software is the Events Calendar plugin for WordPress; vulnerable componen...
CVE-2024-8493
CVE-2024-8493 links to The Events Calendar WordPress plugin prior to 6.6.4. The issue: settings are not properly sanitised/escaped, allowing Stored XSS by high-privilege users (e.g., Admin) even when unfiltered_html is disallowed (notably in multisite). Affected: The Events Calendar plugin