Does FullCalendar have any unpatched vulnerabilities?

No. All known vulnerabilities in FullCalendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is FullCalendar compatible with WordPress 4.9.29?

According to WordPress.org data, FullCalendar 3.4.0 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is FullCalendar updated?

FullCalendar was last updated on Feb 15, 2019. Frequent updates are generally a positive security signal.

What is FullCalendar's security score?

FullCalendar has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

FullCalendar Security & Risk Analysis

wordpress.org/plugins/fullcalendar

Display and customize one or many Google calendars. A non-official WordPress plugin for the (https://fullcalendar.io/) Open Source project.

60 active installs v3.4.0 PHP + WP 3.0.0+ Updated Feb 15, 2019

agendacalendarfullcalendargooglejquery

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is FullCalendar Safe to Use in 2026?

Generally Safe

Score 85/100

FullCalendar has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "fullcalendar" plugin version 3.4.0 exhibits a generally good security posture based on the provided static analysis. The absence of any known CVEs and a lack of critical taint flows are positive indicators. The code adheres to some security best practices, such as using prepared statements for SQL queries and including nonce checks. However, there are significant areas for improvement.

The primary concern lies in the inadequate output escaping, with only 7% of outputs being properly sanitized. This leaves the plugin susceptible to cross-site scripting (XSS) vulnerabilities, as malicious scripts could be injected and executed in the user's browser. While the attack surface is small and no direct unprotected entry points were found, the low rate of output escaping represents a tangible risk.

Given the clean vulnerability history, it's possible that the developers have addressed past issues or that the plugin's usage patterns haven't exposed exploitable weaknesses. Nevertheless, the current code analysis reveals a critical weakness in output sanitization that needs immediate attention. The plugin's strengths are its limited attack surface and proper SQL handling, but these are overshadowed by the high risk of XSS due to poor output escaping.

Key Concerns

Low percentage of properly escaped output
No capability checks on entry points

Vulnerabilities

None known

FullCalendar Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

FullCalendar Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

7% escaped15 total outputs

Attack Surface

FullCalendar Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[fullcalendar] fullcalendar.php:124

WordPress Hooks 3

actionadmin_menufullcalendar.php:49

actionwp_headfullcalendar.php:148

actionwp_enqueue_scriptsfullcalendar.php:150

Maintenance & Trust

FullCalendar Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedFeb 15, 2019

PHP min version

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs60

Alternatives

FullCalendar Alternatives

Pretty Google Calendar

pretty-google-calendar

Embedded Google Calendars that don't suck.

5K 3 CVEs

Easy!Appointments

easyappointments

Integrate the booking form of Easy!Appointments directly into your WordPress pages.

600 4 CVEs

Full Calendar Js

full-calendar-js

Display multiple Calendar XML feeds into a jquery calendar. Works with Google Calendar and others.

30 No CVEs

Simple Calendar – Google Calendar Plugin

google-calendar-events

Add Google Calendar events to your WordPress site in minutes. Beautiful calendar displays. Mobile responsive.

50K 7 CVEs

ICS Calendar

ics-calendar

Add the calendar you already use to Any WordPress site! Google Calendar, Microsoft 365, iCloud and more… no API keys or complicated setup required.

10K 1 CVE

Developer Profile

FullCalendar Developer Profile

ircf

5 plugins · 310 total installs

trust score

Avg Security Score

94/100

Avg Patch Time

282 days

View full developer profile

Detection Fingerprints

How We Detect FullCalendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/fullcalendar/lib/moment-with-locales.min.js/wp-content/plugins/fullcalendar/lib/fullcalendar.min.js/wp-content/plugins/fullcalendar/lib/gcal.js/wp-content/plugins/fullcalendar/lib/fullcalendar.min.css/wp-content/plugins/fullcalendar/lib/fullcalendar.print.min.css

Script Paths

/wp-content/plugins/fullcalendar/lib/moment-with-locales.min.js/wp-content/plugins/fullcalendar/lib/fullcalendar.min.js/wp-content/plugins/fullcalendar/lib/gcal.js

HTML / DOM Fingerprints

CSS Classes

nice-event

Data Attributes

data-fullcalendar-api-keydata-fullcalendar-google-calendar-id

JS Globals

jQuerymomentfullCalendar

Shortcode Output

<div id="loading" style="display:none">Chargement en cours...</div><div id="calendar"></div>

FAQ