Does FT Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in FT Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is FT Calendar compatible with WordPress 5.1.22?

According to WordPress.org data, FT Calendar 1.6.1.1 has been tested up to WordPress 5.1.22. Check the plugin's changelog for the latest compatibility information.

How often is FT Calendar updated?

FT Calendar was last updated on Feb 24, 2019. Frequent updates are generally a positive security signal.

What is FT Calendar's security score?

FT Calendar has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

FT Calendar Security & Risk Analysis

wordpress.org/plugins/ft-calendar

A calendar plugin supporting multiple calendars, recurring events, and several different widgets / shortcodes. More info at http://calendar-plugin.com

100 active installs v1.6.1.1 PHP + WP 3.0+ Updated Feb 24, 2019

calendardatesevent-managereventstimes

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is FT Calendar Safe to Use in 2026?

Generally Safe

Score 85/100

FT Calendar has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "ft-calendar" plugin version 1.6.1.1 exhibits a mixed security posture, with some positive indicators but notable areas of concern stemming from its attack surface and output handling. While the plugin boasts a clean vulnerability history with no recorded CVEs, this does not negate the risks identified in the static analysis. The presence of four AJAX handlers without authentication checks presents a significant attack vector, potentially allowing unauthorized actions if these handlers are exploitable. Furthermore, the low percentage of properly escaped output (21%) suggests a high likelihood of cross-site scripting (XSS) vulnerabilities across various functionalities. The taint analysis, while showing no critical or high-severity unsanitized paths, still identified three flows with unsanitized paths, which warrants further investigation.

Despite the lack of direct vulnerabilities in past CVEs, the static analysis reveals several practices that deviate from secure coding standards. The absence of capability checks, in particular, is a critical oversight when combined with unprotected AJAX endpoints. The static analysis also highlights a moderate number of SQL queries where prepared statements are not utilized, posing a risk of SQL injection. The plugin's strengths lie in its lack of dangerous functions and external HTTP requests, and the presence of nonce checks on all AJAX handlers. However, the substantial number of unprotected AJAX entry points and the poor output escaping practices are significant weaknesses that could be exploited by attackers.

Key Concerns

AJAX handlers without authentication checks
Low percentage of properly escaped output
Flows with unsanitized paths (taint analysis)
SQL queries not using prepared statements
No capability checks

Vulnerabilities

None known

FT Calendar Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

FT Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

7 prepared

Unescaped Output

169

44 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

54% prepared13 total queries

Output Escaping

21% escaped213 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths

add_ftcal_data_meta_box (classes\class-events.php:84)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

FT Calendar Attack Surface

Entry Points10

Unprotected4

AJAX Handlers 6

authwp_ajax_save_ftcal_dataclasses\class-events.php:31

authwp_ajax_delete_ftcal_dataclasses\class-events.php:32

noprivwp_ajax_large_calendar_changeclasses\class-shortcodes.php:26

authwp_ajax_large_calendar_changeclasses\class-shortcodes.php:27

noprivwp_ajax_thumb_month_changeclasses\class-shortcodes.php:28

authwp_ajax_thumb_month_changeclasses\class-shortcodes.php:29

Shortcodes 4

[ftcalendar_list] classes\class-shortcodes.php:31

[ftcalendar] classes\class-shortcodes.php:32

[ftcalendar_thumb] classes\class-shortcodes.php:33

[ftcalendar_post_schedule] classes\class-shortcodes.php:34

WordPress Hooks 51

actionadmin_menuclasses\class-admin.php:27

filterparent_fileclasses\class-admin.php:28

actionadmin_enqueue_scriptsclasses\class-admin.php:29

actionadmin_initclasses\class-admin.php:35

actionadmin_noticesclasses\class-admin.php:1822

actioninitclasses\class-calendars.php:29

actionftcalendar_add_form_fieldsclasses\class-calendars.php:30

actionftcalendar_edit_form_fieldsclasses\class-calendars.php:31

actionedited_ftcalendarclasses\class-calendars.php:32

actioncreated_ftcalendarclasses\class-calendars.php:33

filtermanage_ftcalendar_sortable_columnsclasses\class-calendars.php:34

actionadmin_print_styles-edit-tags.phpclasses\class-calendars.php:35

actionadmin_print_scripts-edit-tags.phpclasses\class-calendars.php:36

filterpre_insert_termclasses\class-calendars.php:37

actionadmin_initclasses\class-events.php:24

actionadmin_print_styles-edit.phpclasses\class-events.php:25

actionadmin_print_scripts-edit.phpclasses\class-events.php:26

actionadmin_print_styles-post.phpclasses\class-events.php:27

actionadmin_print_scripts-post.phpclasses\class-events.php:28

actionadmin_print_styles-post-new.phpclasses\class-events.php:29

actionadmin_print_scripts-post-new.phpclasses\class-events.php:30

actiondeleted_postclasses\class-events.php:33

filterposts_distinctclasses\class-events.php:40

filterposts_fieldsclasses\class-events.php:41

filterposts_joinclasses\class-events.php:42

filterposts_orderbyclasses\class-events.php:43

filterget_the_excerptclasses\class-events.php:49

filterthe_contentclasses\class-events.php:50

filterthe_excerptclasses\class-events.php:51

actioninitclasses\class-feeds.php:29

actiondo_feed_rdfclasses\class-feeds.php:30

actiondo_feed_atomclasses\class-feeds.php:31

actiondo_feed_rssclasses\class-feeds.php:32

actiondo_feed_rss2classes\class-feeds.php:33

actiondo_feed_icalclasses\class-feeds.php:34

actionwp_enqueue_scriptsclasses\class-shortcodes.php:24

filterthe_contentclasses\class-shortcodes.php:273

filterthe_excerptclasses\class-shortcodes.php:274

filterthe_contentclasses\class-shortcodes.php:296

filterthe_excerptclasses\class-shortcodes.php:297

actionwidgets_initclasses\class-widgets.php:439

actionadmin_headclasses\ft-ps-client.php:40

actioninitclasses\ft-ps-client.php:41

actionadmin_noticesclasses\ft-ps-client.php:178

actionadmin_noticesclasses\ft-ps-client.php:187

filterplugins_apiclasses\ft-ps-client.php:271

filtersite_transient_update_pluginsclasses\ft-ps-client.php:274

filtertransient_update_pluginsclasses\ft-ps-client.php:275

filtercron_schedulesclasses\ft-ps-client.php:283

actionadmin_initclasses\ft-ps-client.php:295

actionplugins_loadedft-calendar.php:176

Maintenance & Trust

FT Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.22

Last updatedFeb 24, 2019

PHP min version

Downloads58K

Community Trust

Rating58/100

Number of ratings7

Active installs100

Alternatives

FT Calendar Alternatives

Calendar

calendar

A simple but effective Calendar plugin for WordPress that allows you to manage your events and appointments and display them to the world.

4K 5 CVEs

Calendar Plus

calendar-plus

A simple Calendar plugin for WordPress that allows 2 seperate calendars. This can be used as a drop-in replacement for the original Calendar plugin.

60 1 unpatched

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

wp-event-solution

Create and manage events with a flexible WordPress events calendar plugin. Add recurring events, RSVP, ticket booking, and WooCommerce ticket selling …

10K 19 CVEs

Quick Event Manager

quick-event-manager

Simple event manager. No messing about, just add events and a shortcode and the plugin does the rest for you.

2K 5 CVEs

Sched Event Management Software

embed-sched

Easily manage and promote events! Complete with mobile apps, multiple event calendar views, customization, speaker/sponsor directories and more!

200 No CVEs

Developer Profile

FT Calendar Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect FT Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ft-calendar/css/ft-calendar-admin.css/wp-content/plugins/ft-calendar/css/ft-calendar-public.css/wp-content/plugins/ft-calendar/js/ft-calendar-admin.js/wp-content/plugins/ft-calendar/js/ft-calendar-public.js

Version Parameters

ft-calendar/css/ft-calendar-admin.css?ver=ft-calendar/css/ft-calendar-public.css?ver=ft-calendar/js/ft-calendar-admin.js?ver=ft-calendar/js/ft-calendar-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

ft-calendar-eventft-calendar-event-titleft-calendar-event-dateft-calendar-navft-calendar-nextft-calendar-prevft-calendar-month-viewft-calendar-day-view+1 more

HTML Comments

Data Attributes

data-ftcalendar-iddata-ftcalendar-event-id

JS Globals

ft_calendar_ajax_obj

REST Endpoints

/wp-json/ft-calendar/v1/events

Shortcode Output

[ft_calendar][ft_events]

FAQ