Next Event Calendar Security & Risk Analysis

wordpress.org/plugins/next-event-calendar

Easily add Events to WordPress and display them in a beautiful layout Responsive. Organize Events in category and filter them with ajax.

50 active installs v1.2 PHP + WP 3.0+ Updated Aug 7, 2015
calendareventeventsorganizerplanner
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 5, 2025
Safety Verdict

Is Next Event Calendar Safe to Use in 2026?

Use With Caution

Score 64/100

Next Event Calendar has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 5, 2025Updated 10yr ago
Risk Assessment

The 'next-event-calendar' plugin v1.2 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by having a minimal attack surface with only one entry point (a shortcode) and no unprotected AJAX handlers or REST API routes. The code also shows promising signs with 100% of SQL queries using prepared statements, no file operations, and external HTTP requests. The presence of nonce and capability checks further indicates an awareness of security principles.

However, significant concerns arise from the static analysis and vulnerability history. The most pressing issue is the presence of a medium severity Cross-site Scripting (XSS) vulnerability, which is currently unpatched. Furthermore, the code analysis reveals a low percentage (9%) of properly escaped output. This is a critical weakness, as unsafely rendered output is a common vector for XSS attacks, and it directly correlates with the plugin's past vulnerability. The lack of taint analysis data is also notable, making it difficult to fully assess the risk of data manipulation. Despite the good practices in other areas, the unpatched XSS vulnerability and the high rate of unescaped output present a substantial risk that requires immediate attention.

Key Concerns

  • Unpatched CVE (medium severity XSS)
  • Low percentage of properly escaped output
Vulnerabilities
1 published

Next Event Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-26001medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Next Event Calendar <= 1.2 - Authenticated (Author+) Stored Cross-Site Scripting

Jun 5, 2025Unpatched
Version History

Next Event Calendar Release Timeline

v0.1.81 CVE
v0.1.71 CVE
v0.1.41 CVE
v0.1.21 CVE
Code Analysis
Analyzed Mar 16, 2026

Next Event Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
50
5 escaped
Nonce Checks
1
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

9% escaped55 total outputs
Attack Surface

Next Event Calendar Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[nec_events] next-event-calendar.php:255
WordPress Hooks 14
actionadmin_menuadmin.php:9
actionadmin_initadmin.php:17
actionplugins_loadednext-event-calendar.php:42
actioninitnext-event-calendar.php:51
actioninitnext-event-calendar.php:95
filterpre_get_postsnext-event-calendar.php:136
actionadd_meta_boxesnext-event-calendar.php:165
actionsave_postnext-event-calendar.php:246
actionwp_enqueue_scriptsnext-event-calendar.php:317
actionadmin_initnext-event-calendar.php:347
actionadmin_footernext-event-calendar.php:362
actionwp_footernext-event-calendar.php:445
filterthe_contentsingle.php:83
actionwidgets_initwidget.php:241
Maintenance & Trust

Next Event Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38
Last updatedAug 7, 2015
PHP min version
Downloads11K

Community Trust

Rating40/100
Number of ratings4
Active installs50
Developer Profile

Next Event Calendar Developer Profile

Marchetti Design

3 plugins · 3K total installs

82
trust score
Avg Security Score
83/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Next Event Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/next-event-calendar/css/style.css/wp-content/plugins/next-event-calendar/css/shortcode.css/wp-content/plugins/next-event-calendar/css/widget.css/wp-content/plugins/next-event-calendar/js/main.js
Script Paths
/wp-content/plugins/next-event-calendar/js/main.js
Version Parameters
next-event-calendar/css/style.css?ver=next-event-calendar/css/shortcode.css?ver=next-event-calendar/css/widget.css?ver=next-event-calendar/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
nec-events-wrappernec-single-eventnec-event-titlenec-event-datenec-event-linkwidget_nec_events
Data Attributes
data-nec-events
JS Globals
jQuery
Shortcode Output
[next_event_calendar][nec_events_list]
FAQ

Frequently Asked Questions about Next Event Calendar