Does CalJ have any unpatched vulnerabilities?

Yes — CalJ currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is CalJ compatible with WordPress 6.9.4?

According to WordPress.org data, CalJ 1.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is CalJ compatible with PHP 5.6+?

CalJ requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is CalJ updated?

CalJ was last updated on Apr 10, 2026. Frequent updates are generally a positive security signal.

What is CalJ's security score?

CalJ has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CalJ Security & Risk Analysis

wordpress.org/plugins/calj

Display the Shabbat times (zmanim) for the city of your choice.

100 active installs v1.5 PHP 5.6+ WP 4.9+ Updated Apr 10, 2026

calendardateeventshebrewjewish

B · Generally Safe

CVEs total1

Unpatched1

Last CVEApr 21, 2026

Plugin page Download

Safety Verdict

Is CalJ Safe to Use in 2026?

Mostly Safe

Score 78/100

CalJ is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Apr 21, 2026Updated 1mo ago

Risk Assessment

The plugin "calj" v1.5 exhibits a generally positive security posture, with several good practices observed. Notably, it has a small attack surface, with only one entry point (a shortcode) and no AJAX handlers, REST API routes, or cron events. All SQL queries are properly prepared, and there are no file operations or external HTTP requests that appear to be directly controllable by user input. The absence of known vulnerabilities in its history is also a strong indicator of good development and maintenance.

However, there are significant areas for improvement and concern. The most pressing issue is the lack of output escaping, with only 20% of outputs being properly handled. This leaves the plugin vulnerable to Cross-Site Scripting (XSS) attacks, especially given the presence of taint flows with unsanitized paths. The absence of nonce and capability checks further exacerbates this risk, as it suggests that the plugin may not be adequately protecting sensitive actions or data from unauthorized access or manipulation. While the attack surface is small, the lack of proper sanitization and authorization on the identified flows represents a critical weakness.

In conclusion, while "calj" v1.5 benefits from a limited attack surface and secure SQL handling, the critical vulnerabilities in output escaping and the lack of authorization checks present a significant risk. The presence of unsanitized taint flows, coupled with these weaknesses, means that despite its clean vulnerability history, the plugin requires immediate attention to mitigate potential XSS and privilege escalation attacks.

Key Concerns

Unsanitized taint flows detected
Low percentage of properly escaped output
Missing nonce checks
Missing capability checks

Vulnerabilities

1 published

CalJ Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-4117medium · 5.3Missing Authorization

CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action

Apr 21, 2026Unpatched

Version History

CalJ Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

CalJ Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

20% escaped5 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

create_admin_page (CalJSettingsPage.php:74)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

CalJ Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[caljshabbat] CalJPlugin.php:12

WordPress Hooks 3

actionadmin_menuCalJSettingsPage.php:43

actionadmin_initCalJSettingsPage.php:44

filterplugin_action_linksCalJSettingsPage.php:46

Maintenance & Trust

CalJ Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 10, 2026

PHP min version5.6

Downloads4K

Community Trust

Rating68/100

Number of ratings5

Active installs100

Alternatives

CalJ Alternatives

Jewish Date

jewish-date

100

Jewish Date is a small plugin to show the Jewish date on your WordPress site.

40 No CVEs

Hebrew Events Calendar

hebrew-events-calendar

An events calendar that allows easy entry of reoccuring events with either Gregorian or Jewish dates.

10 No CVEs

Calendar

calendar

A simple but effective Calendar plugin for WordPress that allows you to manage your events and appointments and display them to the world.

4K 5 CVEs

Tockify Events Calendar

tockify-events-calendar

Tockify Calendar is a modern attractive website calendar. Beautiful. Intuitive. Super-Customizable. Lightning Fast.

2K 1 CVE

WP Hebrew Date

wordpress-hebrew-date

100

Convert dates in wordpress to Hebrew dates.

700 No CVEs

Developer Profile

CalJ Developer Profile

calj

1 plugin · 100 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect CalJ

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Version Parameters

calj.php?ver=calj.css?ver=calj.js?ver=

HTML / DOM Fingerprints

Data Attributes

caljshabbat

Shortcode Output

[ERR:-

FAQ