iCalendrier Security & Risk Analysis

wordpress.org/plugins/icalendrier

Simple plugin that displays daily informations like date, name day or moon phase. --- Petit plugin simple qui vous permet d'afficher sur votre si …

700 active installs v1.83 PHP + WP 3.5+ Updated Jul 4, 2024
calendarcalendariocalendrierephemeridekalender
85
A · Safe
CVEs total1
Unpatched0
Last CVEMar 25, 2024
Safety Verdict

Is iCalendrier Safe to Use in 2026?

Generally Safe

Score 85/100

iCalendrier has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Mar 25, 2024Updated 2yr ago
Risk Assessment

The iCalendar plugin v1.83 presents a mixed security posture. While the static analysis shows a small attack surface with no immediate unprotected entry points and a complete absence of dangerous functions or raw SQL queries, there are significant concerns regarding output escaping. Only 16% of output points are properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. This is further corroborated by the vulnerability history, which shows a past medium severity XSS vulnerability. The plugin's reliance on unescaped output, combined with a history of XSS, suggests a persistent weakness that could be exploited if input isn't sufficiently sanitized before being displayed to users.

Despite the positive findings of no taint flows and a lack of SQL injection risks, the poor output escaping is a critical flaw. The absence of nonce checks and capability checks on the single shortcode entry point, while not directly flagged as a vulnerability in this static analysis, could become problematic if the shortcode handles user-supplied data that is then rendered unsafely. The history of a medium severity XSS vulnerability, though patched, highlights the plugin's susceptibility to this type of attack. Therefore, while the plugin avoids some common pitfalls, the output escaping issue and past XSS vulnerability warrant careful consideration.

Key Concerns

  • Low percentage of properly escaped output
  • History of medium severity XSS vulnerability
  • No capability checks on entry points
  • No nonce checks on entry points
Vulnerabilities
1 published

iCalendrier Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-29912medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iCalendrier <= 1.80 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 1.81 (8d)
Version History

iCalendrier Release Timeline

v1.83Current
v1.82
v1.81
v1.801 CVE
v1.791 CVE
v1.781 CVE
v1.771 CVE
v1.761 CVE
v1.751 CVE
v1.741 CVE
v1.731 CVE
v1.721 CVE
v1.711 CVE
v1.621 CVE
v1.611 CVE
v1.541 CVE
v1.531 CVE
v1.521 CVE
v1.511 CVE
v1.71 CVE
Code Analysis
Analyzed Mar 16, 2026

iCalendrier Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
31
6 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

16% escaped37 total outputs
Attack Surface

iCalendrier Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[icalendrier] icalendrier-widget.php:84
WordPress Hooks 3
actionwp_enqueue_scriptsicalendrier-widget.php:49
actionadmin_enqueue_scriptsicalendrier-widget.php:51
actionwidgets_initicalendrier-widget.php:317
Maintenance & Trust

iCalendrier Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedJul 4, 2024
PHP min version
Downloads33K

Community Trust

Rating100/100
Number of ratings5
Active installs700
Developer Profile

iCalendrier Developer Profile

bplace

1 plugin · 700 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect iCalendrier

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/icalendrier/css/icalendrier.css/wp-content/plugins/icalendrier/css/themes/icalendrier-alt-1.css/wp-content/plugins/icalendrier/css/icalendrier-admin.css

HTML / DOM Fingerprints

CSS Classes
icalendrier-comp175icalendrier-wide300icalendrier-alt-1
Data Attributes
data-ical-languagedata-ical-timezonedata-ical-showlinkdata-ical-bgcolordata-ical-styledata-ical-widgettitle
Shortcode Output
<div class="icalendrier icalendrier-comp175"><div class="icalendrier icalendrier-wide300">
FAQ

Frequently Asked Questions about iCalendrier