Event Calendar / Scheduler Security & Risk Analysis

wordpress.org/plugins/event-calendar-scheduler

Event calendar plugin that allows you to add a nice-looking scheduler/planner with drag-n-drop interface, recurring events, Google Map integration.

30 active installs v3.0 PHP + WP 2.0.2+ Updated Sep 11, 2012
calendareventevent-calendareventsplanner
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Event Calendar / Scheduler Safe to Use in 2026?

Generally Safe

Score 85/100

Event Calendar / Scheduler has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago
Risk Assessment

The "event-calendar-scheduler" v3.0 plugin exhibits a mixed security posture. On the positive side, the plugin has no known vulnerabilities (CVEs) and a clean history, suggesting a generally stable and well-maintained codebase. Furthermore, the attack surface appears minimal with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. The majority of SQL queries utilize prepared statements, which is a good practice for preventing SQL injection. However, there are significant concerns stemming from the static code analysis. A very low percentage of output is properly escaped (16%), indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities across numerous output points. Additionally, the taint analysis reveals flows with unsanitized paths, with one identified as high severity. The complete absence of nonce checks, despite 4 capability checks, is also a notable weakness, potentially leaving actions vulnerable to CSRF if not otherwise protected by capability checks alone. The presence of file operations and external HTTP requests without specific security details warrants caution, as these can be vectors for further exploitation if not handled securely.

Key Concerns

  • High percentage of unsanitized output
  • High severity unsanitized taint flow
  • No nonce checks present
  • File operations present
  • External HTTP requests present
Vulnerabilities
None known

Event Calendar / Scheduler Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Event Calendar / Scheduler Release Timeline

v3.0Current
v2.3.1
v2.3
v2.0
v1.3
v1.2.1
v1.2
v1.1
v1.0
Code Analysis
Analyzed Mar 16, 2026

Event Calendar / Scheduler Code Analysis

Dangerous Functions
0
Raw SQL Queries
7
34 prepared
Unescaped Output
32
6 escaped
Nonce Checks
0
Capability Checks
4
File Operations
11
External Requests
1
Bundled Libraries
0

SQL Query Safety

83% prepared41 total queries

Output Escaping

16% escaped38 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
<dhtmlxSchedulerConfiguratorLoad> (codebase\dhtmlxSchedulerConfiguratorLoad.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Event Calendar / Scheduler Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 6
actionadmin_menuscheduler.php:68
actionadmin_initscheduler.php:69
actioninitscheduler.php:70
filterthe_contentscheduler.php:71
filtermce_external_pluginsscheduler.php:233
filtermce_buttonsscheduler.php:234
Maintenance & Trust

Event Calendar / Scheduler Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2
Last updatedSep 11, 2012
PHP min version
Downloads103K

Community Trust

Rating68/100
Number of ratings9
Active installs30
Developer Profile

Event Calendar / Scheduler Developer Profile

dhtmlx

1 plugin · 30 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Event Calendar / Scheduler

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler.css/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_terrace.css/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler.js/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_date.js/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_locale.js/wp-content/plugins/event-calendar-scheduler/codebase/locale/common_en.php
Script Paths
/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler.js/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_date.js/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_locale.js
Version Parameters
/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler.css?ver=/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_terrace.css?ver=/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler.js?ver=/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_date.js?ver=/wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxscheduler_locale.js?ver=

HTML / DOM Fingerprints

CSS Classes
dhx_cal_navlinedhx_cal_prev_buttondhx_cal_next_buttondhx_cal_today_buttondhx_cal_datedhx_cal_weekdaydhx_cal_eventdhx_cal_event_line+12 more
HTML Comments
<!-- scheduler --><!-- end scheduler --><!-- begin scheduler_plugin --><!-- end scheduler_plugin -->
Data Attributes
data-scheduler-iddata-scheduler-view
JS Globals
schedulerDHXSchedulerscheduler_configscheduler_localedhx_scheduler
Shortcode Output
[scheduler_plugin][scheduler_sidebar]
FAQ

Frequently Asked Questions about Event Calendar / Scheduler