WP-Safety

Calendar Security & Risk Analysis

wordpress.org/plugins/calendar

A simple but effective Calendar plugin for WordPress that allows you to manage your events and appointments and display them to the world.

4K active installs v1.3.17 PHP + WP 6.2.4+ Updated Dec 13, 2025
calendardateseventstimes
90
A · Safe
CVEs total5
Unpatched0
Last CVEDec 22, 2025
Plugin page Download
Safety Verdict

Is Calendar Safe to Use in 2026?

Generally Safe

Score 90/100

Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 22, 2025Updated 3mo ago
Risk Assessment

The 'calendar' plugin v1.3.17 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and a high percentage of properly escaped output. It also lacks file operations and external HTTP requests, reducing common attack vectors. The presence of nonce checks and capability checks (though the latter is reported as 0, it's often implemented via functions that might not be directly flagged as 'capability checks' in static analysis) is encouraging. However, several significant concerns arise from the static analysis and historical data. The taint analysis reveals 6 flows with unsanitized paths, including 4 high-severity issues, indicating potential vulnerabilities related to how user-provided data is handled. The vulnerability history is also a major red flag, with 5 known CVEs, including 2 high-severity ones. The common types of past vulnerabilities (XSS, SQL Injection, CSRF) align with the potential risks suggested by the taint analysis, highlighting a pattern of insecure input handling. While there are currently no unpatched vulnerabilities, the recurring nature of these issues points to a need for more robust input validation and sanitization within the plugin.

The plugin's attack surface is relatively small and appears to be protected, with no unprotected entry points. This is a strength. However, the presence of unsanitized flows and a history of impactful vulnerabilities, despite the use of prepared statements and good output escaping, suggests that the core issue lies in how the plugin processes and trusts user input before it reaches the SQL query or is rendered in the output. The absence of unpatched vulnerabilities is a positive, but the consistent discovery of significant vulnerabilities in the past suggests a persistent weakness in secure coding practices, particularly concerning input validation. Therefore, while some security fundamentals are in place, the risk remains elevated due to the identified taint issues and historical patterns.

Key Concerns

  • High severity taint flows found
  • Unsanitized paths in taint analysis
  • High severity CVEs in history
  • Medium severity CVEs in history
  • History of XSS vulnerabilities
  • History of SQL Injection vulnerabilities
  • History of CSRF vulnerabilities
Vulnerabilities
5

Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2016
2016
1 CVE in 2018
2018
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2025-14548medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Calendar <= 1.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'event_desc'

Dec 22, 2025 Patched in 1.3.17 (1d)
CVE-2024-2831high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Calendar <= 1.3.14 - Authenticated (Contributor+) SQL Injection via Shortcode

Apr 29, 2024 Patched in 1.3.15 (38d)
CVE-2018-18872medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Calendar <= 1.3.10 - Authenticated Stored Cross-Site Scripting

Oct 30, 2018 Patched in 1.3.11 (1911d)
WF-ff22c969-e580-4290-ab08-7c02b6eac938-calendarhigh · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Calendar < 1.3.8 - Reflected Cross-Site Scripting

Nov 8, 2016 Patched in 1.3.8 (2632d)
CVE-2013-2698medium · 4.3Cross-Site Request Forgery (CSRF)

Calendar <= 1.3.2 - Cross-Site Request Forgery

Aug 1, 2014 Patched in 1.3.3 (3462d)
Code Analysis
Analyzed Mar 16, 2026

Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
63 prepared
Unescaped Output
25
275 escaped
Nonce Checks
7
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared63 total queries

Output Escaping

92% escaped300 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths
calendar_print_ical_feed (calendar-feed.php:27)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Calendar Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[calendar] calendar.php:85
WordPress Hooks 18
actionplugins_loadedcalendar.php:40
actionadmin_enqueue_scriptscalendar.php:54
actionadmin_menucalendar.php:55
filterthe_contentcalendar.php:58
filterthe_contentcalendar.php:59
filterthe_contentcalendar.php:62
filterthe_contentcalendar.php:63
actionwp_enqueue_scriptscalendar.php:66
actiondelete_usercalendar.php:69
actionwidgets_initcalendar.php:72
actionwidgets_initcalendar.php:73
actionwidgets_initcalendar.php:74
actioninitcalendar.php:77
filterwidget_textcalendar.php:86
actioninitcalendar.php:89
filterquery_varscalendar.php:95
actionparse_requestcalendar.php:102
actionadmin_noticescalendar.php:113
Maintenance & Trust

Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 13, 2025
PHP min version
Downloads673K

Community Trust

Rating74/100
Number of ratings24
Active installs4K
Alternatives

Calendar Alternatives

FT Calendar

FT Calendar

ft-calendar

A
85

A calendar plugin supporting multiple calendars, recurring events, and several different widgets / shortcodes. More info at http://calendar-plugin.com

100 No CVEs
Calendar Plus

Calendar Plus

calendar-plus

C
63

A simple Calendar plugin for WordPress that allows 2 seperate calendars. This can be used as a drop-in replacement for the original Calendar plugin.

60 1 unpatched
AM Events

AM Events

am-events

C
63

Manage and display your events. Allows fully customizable layouts and includes a widget for upcoming events.

100 1 unpatched
Event CLNDR

Event CLNDR

event-clndr

A
85

An uncomplicated event manager with a highly customisable (developer-friendly) front-end calendar utilising CLNDR.js.

70 No CVEs
Hassle-Free Date List

Hassle-Free Date List

hassle-free-date-list

A
85

This plugin adds a block, a shortcode, and a contactform 7 form tag that displays a list of dates. Dates that are due will automatically be hidden or &hellip;

10 No CVEs
Developer Profile

Calendar Developer Profile

Kieran O'Shea

4 plugins · 4K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
1609 days
View full developer profile
Detection Fingerprints

How We Detect Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/calendar/calendar-admin.css/wp-content/plugins/calendar/javascript.js
Script Paths
/wp-content/plugins/calendar/javascript.js
Version Parameters
calendar/javascript.js?ver=1.3.16calendar/calendar-admin.css?ver=1.3.16

HTML / DOM Fingerprints

CSS Classes
calendar_admin_css
HTML Comments
<!-- !Calendar Core--><!-- Calendar Core--><!-- Calendar Content--><!-- Calendar Footer-->+17 more
Data Attributes
data-monthdata-year
JS Globals
calendar_data
Shortcode Output
[calendar][calendar categories=""[calendar type="todays"][calendar type="upcoming"]
FAQ

Frequently Asked Questions about Calendar