WP-Safety

BP Events Calendar Security & Risk Analysis

wordpress.org/plugins/bp-events-calendar

The Modern Tribe's Events Calendar add-on that integrated into BuddyPress, and allow users to post events directly from their profile.

20 active installs v1.0.0 PHP 5.4+ WP 4.0+ Updated Apr 10, 2018
buddypresscalendarcommunity-eventseventsevents-calendar
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BP Events Calendar Safe to Use in 2026?

Generally Safe

Score 85/100

BP Events Calendar has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The "bp-events-calendar" v1.0.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for its SQL queries and avoids external HTTP requests and file operations. The plugin also includes a reasonable number of nonce and capability checks (3 and 7 respectively).

However, significant concerns arise from the attack surface and taint analysis. Two AJAX handlers are present, and alarmingly, both lack authentication checks, presenting a direct vulnerability. The taint analysis reveals two high-severity flows that are unsanitized, which could potentially lead to exploitable vulnerabilities if user input is not handled carefully in these specific code paths. The fact that 64% of output is properly escaped indicates that while many outputs are secured, a substantial portion (36%) may be vulnerable to cross-site scripting (XSS) attacks.

Despite the absence of any recorded CVEs, which might suggest a history of secure development or lack of scrutiny, the identified issues in the static analysis are critical. The unprotected AJAX endpoints and high-severity unsanitized taint flows are immediate risks. Therefore, while the plugin avoids some common pitfalls, the open entry points and potential for data manipulation or XSS due to insufficient output escaping warrant caution and immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flows
  • Significant unescaped output (36%)
Vulnerabilities
None known

BP Events Calendar Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

BP Events Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
19 prepared
Unescaped Output
105
189 escaped
Nonce Checks
3
Capability Checks
7
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared19 total queries

Output Escaping

64% escaped294 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

9 flows4 with unsanitized paths
save_settings (includes\admin\class-bpec-settings.php:73)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

BP Events Calendar Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_bpec_join_group_eventincludes\bpec-actions.php:113
authwp_ajax_bpec_event_guests_listincludes\bpec-actions.php:114
WordPress Hooks 45
actionwp_enqueue_scriptsbp-events-calendar-core.php:63
actionadmin_footerbp-events-calendar-core.php:257
actionwp_footerbp-events-calendar-core.php:262
actionwp_enqueue_scriptsbp-events-calendar-core.php:265
actionbp_loadedbp-events-calendar-core.php:396
actionplugins_loadedbp-events-calendar.php:95
actionadmin_noticesbp-events-calendar.php:122
actionbp_includebp-events-calendar.php:130
actionadmin_initincludes\admin\class-bpec-settings.php:24
actionadmin_initincludes\admin\class-bpec-settings.php:25
actionbp_initincludes\bpec-actions.php:23
actionbpec_event_formincludes\bpec-actions.php:41
actionbpec_event_formincludes\bpec-actions.php:42
actionbpec_event_formincludes\bpec-actions.php:43
actionbpec_event_formincludes\bpec-actions.php:44
actionbpec_event_formincludes\bpec-actions.php:45
actionbpec_event_formincludes\bpec-actions.php:46
actionbpec_event_formincludes\bpec-actions.php:47
actionbpec_event_formincludes\bpec-actions.php:48
actionbpec_event_formincludes\bpec-actions.php:49
actionbpec_event_formincludes\bpec-actions.php:50
actionbpec_event_formincludes\bpec-actions.php:53
actionbpec_event_formincludes\bpec-actions.php:57
actionbpec_event_list_loopincludes\bpec-actions.php:65
actionsave_post_tribe_eventsincludes\bpec-actions.php:71
actionbpec_event_attendees_list_loopincludes\bpec-actions.php:78
actionbpec_event_orders_list_loopincludes\bpec-actions.php:85
actionbp_register_activity_actionsincludes\bpec-actions.php:88
actionbpec_directory_event_actionsincludes\bpec-actions.php:99
actionbpec_directory_event_itemincludes\bpec-actions.php:100
actionbpec_guests_popup_innerincludes\bpec-actions.php:101
actionbpec_member_joined_eventincludes\bpec-actions.php:102
actionbpec_member_left_eventincludes\bpec-actions.php:103
filterbp_user_query_uid_clausesincludes\bpec-actions.php:115
actionbp_template_contentincludes\bpec-screens.php:22
filtertribe_query_can_inject_date_fieldincludes\bpec-screens.php:42
actionbp_template_contentincludes\bpec-screens.php:78
filtertribe_events_tickets_attendees_urlincludes\bpec-screens.php:79
actionbp_template_contentincludes\bpec-screens.php:110
filterget_edit_post_linkincludes\bpec-screens.php:111
actionbp_template_contentincludes\bpec-screens.php:154
filterget_edit_post_linkincludes\bpec-screens.php:155
actionwp_enqueue_scriptsincludes\class-bpec-event-form.php:91
actionwp_loadedincludes\class-bpec-event-form.php:93
actionwp_loadedincludes\class-bpec-event-form.php:94
Maintenance & Trust

BP Events Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedApr 10, 2018
PHP min version5.4
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs20
Alternatives

BP Events Calendar Alternatives

EventPress

EventPress

eventpress

A
85

Create Events on WordPress and BuddyPress!

200 No CVEs
Timetable and Event Schedule by MotoPress

Timetable and Event Schedule by MotoPress

mp-timetable

A
86

Smart event organizer and time-management tool with a clean minimalist design for featuring your timetables and upcoming events.

30K 8 CVEs
Event Organiser

Event Organiser

event-organiser

B
70

Create and maintain events, including complex reoccurring patterns, venue management (with Google Maps or OpenStreetMap), calendars and customisable e …

20K 1 unpatched
The Events Calendar Shortcode & Block

The Events Calendar Shortcode & Block

the-events-calendar-shortcode

A
98

Add shortcode, block, Elementor and Bricks functionality to The Events Calendar Plugin, so you can easily list and promote your events anywhere.

20K 2 CVEs
Events Widgets For Elementor And The Events Calendar

Events Widgets For Elementor And The Events Calendar

events-widgets-for-elementor-and-the-events-calendar

A
99

The Events Calendar Elementor widgets help you manage and display an upcoming events list with date, time, venue and event ticket booking details.

10K 1 CVE
Developer Profile

BP Events Calendar Developer Profile

WPDrift

1 plugin · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BP Events Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bp-events-calendar/includes/css/bp-events-calendar.css/wp-content/plugins/bp-events-calendar/includes/js/bp-events-calendar.js
Script Paths
/wp-content/plugins/bp-events-calendar/includes/js/bp-events-calendar.js
Version Parameters
bp-events-calendar/includes/css/bp-events-calendar.css?ver=bp-events-calendar/includes/js/bp-events-calendar.js?ver=

HTML / DOM Fingerprints

CSS Classes
bpec-events-calendar-wrapper
JS Globals
BP_EVENTS_CALENDAR_AJAX_URL
FAQ

Frequently Asked Questions about BP Events Calendar