Calendar.online / Kalender.digital – Plugin Security & Risk Analysis

wordpress.org/plugins/kalender-digital

Plugin for the integration of a free calendar from Calendar.online or Kalender.digital

2K active installs v1.0.14 PHP 5.3+ WP 4.6+ Updated Feb 9, 2026
calendareventkalenderplanerplanner
98
A · Safe
CVEs total2
Unpatched0
Last CVEDec 31, 2025
Safety Verdict

Is Calendar.online / Kalender.digital – Plugin Safe to Use in 2026?

Generally Safe

Score 98/100

Calendar.online / Kalender.digital – Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Dec 31, 2025Updated 5mo ago
Risk Assessment

The kalender-digital v1.0.14 plugin exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and having no external HTTP requests, it raises significant concerns regarding output escaping and a lack of robust security checks. The static analysis reveals that only 21% of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the absence of nonce checks, capability checks, and any authentication checks on its entry points (AJAX handlers, REST API routes, shortcodes) is a critical oversight that leaves the plugin highly susceptible to various attacks. The vulnerability history, while showing no currently unpatched CVEs, reveals two medium-severity XSS vulnerabilities in the past, which aligns with the findings of insufficient output escaping. This pattern suggests a recurring weakness that, if not addressed, could lead to future exploitable flaws. In conclusion, despite a clean slate regarding SQL injection and external requests, the severe deficiency in output escaping and the lack of essential security controls on its entry points present a substantial risk. The plugin requires immediate attention to address these critical security gaps.

Key Concerns

  • Low output escaping percentage (21%)
  • No nonce checks implemented
  • No capability checks implemented
  • 0 unprotected AJAX handlers, but overall attack surface has no auth checks
  • Two medium severity CVEs historically, common XSS
Vulnerabilities
2 published

Calendar.online / Kalender.digital – Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-62752medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Calendar.online / Kalender.digital <= 1.0.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 31, 2025 Patched in 1.0.14 (42d)
CVE-2024-38678medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Calendar.online / Kalender.digital <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 10, 2024 Patched in 1.0.9 (14d)
Version History

Calendar.online / Kalender.digital – Plugin Release Timeline

Code Analysis
Analyzed Mar 16, 2026

Calendar.online / Kalender.digital – Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
15
4 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

21% escaped19 total outputs
Attack Surface

Calendar.online / Kalender.digital – Plugin Attack Surface

Entry Points3
Unprotected0

Shortcodes 3

[kalender_digital] includes\class-kalender-digital.php:82
[calendar_expert] includes\class-kalender-digital.php:83
[calendar_online] includes\class-kalender-digital.php:84
WordPress Hooks 7
actionadmin_menuadmin\class-kalender-digital-admin.php:51
filterplugin_action_linksadmin\class-kalender-digital-admin.php:52
actionplugins_loadedincludes\class-kalender-digital.php:145
actionadmin_enqueue_scriptsincludes\class-kalender-digital.php:160
actionadmin_enqueue_scriptsincludes\class-kalender-digital.php:161
actionwp_enqueue_scriptsincludes\class-kalender-digital.php:176
actionwp_enqueue_scriptsincludes\class-kalender-digital.php:177
Maintenance & Trust

Calendar.online / Kalender.digital – Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 9, 2026
PHP min version5.3
Downloads32K

Community Trust

Rating88/100
Number of ratings7
Active installs2K
Developer Profile

Calendar.online / Kalender.digital – Plugin Developer Profile

kalender.digital

1 plugin · 2K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
28 days
View full developer profile
Detection Fingerprints

How We Detect Calendar.online / Kalender.digital – Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/kalender-digital/admin/css/kalender-digital-admin.css/wp-content/plugins/kalender-digital/public/css/kalender-digital-public.css/wp-content/plugins/kalender-digital/public/js/kalender-digital-public.js
Script Paths
/wp-content/plugins/kalender-digital/admin/js/kalender-digital-admin.js
Version Parameters
kalender-digital/admin/css/kalender-digital-admin.css?ver=kalender-digital/public/css/kalender-digital-public.css?ver=kalender-digital/public/js/kalender-digital-public.js?ver=kalender-digital/admin/js/kalender-digital-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
kalender-digital-containerkalender-digital-shortcode
Shortcode Output
[calendar_online[kalender_digital
FAQ

Frequently Asked Questions about Calendar.online / Kalender.digital – Plugin