Does Editorial Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in Editorial Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Editorial Calendar compatible with WordPress 6.8.5?

According to WordPress.org data, Editorial Calendar 3.9.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Editorial Calendar compatible with PHP 7.4+?

Editorial Calendar requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Editorial Calendar updated?

Editorial Calendar was last updated on Mar 3, 2026. Frequent updates are generally a positive security signal.

What is Editorial Calendar's security score?

Editorial Calendar has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Editorial Calendar Security & Risk Analysis

wordpress.org/plugins/editorial-calendar

0ddcemmihs4a843ekhaoofzosrunf4bl Editorial Calendar allows you to view all your posts, schedule post, make quick edits, and manage your blog by draggi …

20K active installs v3.9.2 PHP 7.4+ WP 4.0+ Updated Mar 3, 2026

editorial-calendarmanage-postquickedit-postschedule-post

A · Safe

CVEs total4

Unpatched0

Last CVEDec 20, 2025

Plugin page Download

Safety Verdict

Is Editorial Calendar Safe to Use in 2026?

Generally Safe

Score 93/100

Editorial Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 20, 2025Updated 1mo ago

Risk Assessment

The "editorial-calendar" plugin version 3.9.2 exhibits a mixed security posture. While it demonstrates good practices such as 100% of SQL queries using prepared statements and a significant number of capability checks (8), there are notable areas of concern. The presence of 7 AJAX handlers, with 3 of them lacking proper authentication checks, significantly expands the attack surface and presents a direct risk of unauthorized actions.

The static analysis also reveals that only 23% of output is properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities, especially when combined with the unsanitized path flow identified in the taint analysis. Although no critical or high severity taint flows were found, the single unsanitized path flow is still a concern.

The plugin's vulnerability history, with 4 known CVEs and a recent one in late 2025, points to a recurring pattern of security weaknesses, including missing authorization and XSS. The presence of high and medium severity vulnerabilities in the past, even if currently unpatched ones are zero, suggests a need for more robust security development practices. In conclusion, while the plugin has some strengths, the unprotected AJAX handlers and the high percentage of unescaped output are significant risks that require immediate attention.

Key Concerns

AJAX handlers without authentication checks
Low percentage of properly escaped output
Flow with unsanitized paths
Vulnerability history (4 CVEs, including high/medium)

Vulnerabilities

Editorial Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2013

2013

2 CVEs in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2025-68603medium · 4.3Missing Authorization

Editorial Calendar <= 3.8.8 - Missing Authorization

Dec 20, 2025 Patched in 3.8.9 (39d)

CVE-2023-36520medium · 5.4Authorization Bypass Through User-Controlled Key

Editorial Calendar <= 3.7.12 - Authenticated (Contributor+) Insecure Direct Object Reference

Jun 27, 2023 Patched in 3.8.0 (210d)

CVE-2022-4115medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Editorial Calendar <= 3.8.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action

Jun 5, 2023 Patched in 3.8.1 (232d)

CVE-2013-10023high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Editorial Calendar <= 2.6 - Authenticated (Admin+) SQL Injection

Feb 13, 2013 Patched in 2.7 (4012d)

Code Analysis

Analyzed Mar 16, 2026

Editorial Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

27 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

23% escaped116 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

edcal_deletepost (edcal.php:909)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Editorial Calendar Attack Surface

Entry Points7

Unprotected3

AJAX Handlers 7

authwp_ajax_edcal_saveoptionsedcal.php:61

authwp_ajax_edcal_changedateedcal.php:62

authwp_ajax_edcal_savepostedcal.php:63

authwp_ajax_edcal_changetitleedcal.php:64

authwp_ajax_edcal_postsedcal.php:66

authwp_ajax_edcal_getpostedcal.php:67

authwp_ajax_edcal_deletepostedcal.php:68

WordPress Hooks 4

actionadmin_menuedcal.php:65

actioninitedcal.php:69

filterposts_whereedcal.php:636

filterposts_whereedcal.php:679

Maintenance & Trust

Editorial Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMar 3, 2026

PHP min version7.4

Downloads1.5M

Community Trust

Rating98/100

Number of ratings80

Active installs20K

Alternatives

Editorial Calendar Alternatives

Post Calendar by Gelform

post-calendar-gelform

100

View your posts on a calendar and schedule posts with ease.

30 No CVEs

Editorial Calendar, Marketing Content, Kanban Board – PublishPress Planner

publishpress

100

PublishPress Planner has all the tools you need to plan WordPress content including a Content Calendar, Content Overview, and Kanban Board.

6K 1 CVE

Edit Flow

edit-flow

100

Redefining your editorial workflow.

5K No CVEs

Nelio Content – Editorial Calendar & Social Media Auto-Posting

nelio-content

Editorial calendar and social media auto-posting for WordPress. Plan content, schedule shares, and grow reach with powerful automations.

5K 3 CVEs

CoSchedule

coschedule-by-todaymade

The only marketing suite that helps you organize all of your marketing in one place.

3K 3 CVEs

Developer Profile

Editorial Calendar Developer Profile

Marketing Fire

4 plugins · 212K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

643 days

View full developer profile

Detection Fingerprints

How We Detect Editorial Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/editorial-calendar/lib/timePicker.css/wp-content/plugins/editorial-calendar/lib/humanmsg.css/wp-content/plugins/editorial-calendar/edcal.css/wp-content/plugins/editorial-calendar/edcal_rtl.css

HTML / DOM Fingerprints

HTML Comments

REST Endpoints

/wp-admin/admin-ajax.php

FAQ