WP-Safety

Open Source Event Calendar Security & Risk Analysis

wordpress.org/plugins/open-source-event-calendar

An event calendar with native iCal / ICS import and export

10 active installs v1.1.0 PHP 8.2+ WP 6.6+ Updated Mar 27, 2026
calendareventsical-importerics
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Open Source Event Calendar Safe to Use in 2026?

Generally Safe

Score 100/100

Open Source Event Calendar has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The open-source-event-calendar v1.1.0 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices with 100% of SQL queries using prepared statements and 99% of output properly escaped, significantly mitigating common web vulnerabilities. The absence of known CVEs and a history of vulnerabilities further suggests a generally stable codebase. However, a significant concern arises from the attack surface analysis, revealing 8 AJAX handlers that lack authentication checks. While the taint analysis did not identify critical or high-severity unsanitized flows, the presence of 6 flows with unsanitized paths, even if rated lower severity, warrants attention, especially when combined with the unprotected AJAX endpoints. The bundled Select2 v3.3.1 library is outdated, posing a potential risk if vulnerabilities exist in that specific version.

In conclusion, the plugin benefits from robust data handling practices but is weakened by a substantial number of unprotected entry points that could be exploited. The lack of historical vulnerabilities is a strength, but the static analysis highlights areas for improvement to harden the plugin's security. The outdated bundled library is a minor but addressable risk. Further investigation into the 6 unsanitized paths is recommended, though their impact appears limited in this version based on the current analysis.

Key Concerns

  • 8 unprotected AJAX handlers
  • 6 unsanitized paths in taint analysis
  • Bundled outdated Select2 v3.3.1 library
Vulnerabilities
None known

Open Source Event Calendar Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Open Source Event Calendar Release Timeline

v1.1.0Current
v1.0.11
Code Analysis
Analyzed Apr 16, 2026

Open Source Event Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
73 prepared
Unescaped Output
4
391 escaped
Nonce Checks
15
Capability Checks
20
File Operations
16
External Requests
1
Bundled Libraries
1

Bundled Libraries

Select23.3.1

SQL Query Safety

100% prepared73 total queries

Output Escaping

99% escaped395 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths
render_css (src/App/Controller/FrontendCssController.php:83)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Open Source Event Calendar Attack Surface

Entry Points9
Unprotected8

AJAX Handlers 8

authwp_ajax_osec_get_repeat_boxsrc/App/Controller/BootstrapController.php:311
authwp_ajax_osec_dismiss_noticesrc/App/Controller/BootstrapController.php:323
authwp_ajax_osec_rrule_to_textsrc/App/Controller/BootstrapController.php:336
authwp_ajax_osec_rescan_cachesrc/App/Controller/BootstrapController.php:443
authwp_ajax_osec_add_icssrc/App/Controller/FeedsController.php:77
authwp_ajax_osec_delete_icssrc/App/Controller/FeedsController.php:86
authwp_ajax_osec_update_icssrc/App/Controller/FeedsController.php:95
authwp_ajax_osec_feeds_page_postsrc/App/Controller/FeedsController.php:110

REST API Routes 1

GET/wp-json/osec/v1/settingssrc/App/Controller/RestController.php:18
WordPress Hooks 71
actioninitopen-source-event-calendar.php:45
actionadmin_enqueue_scriptsopen-source-event-calendar.php:105
actioninitsrc/App/Controller/BootstrapController.php:95
actionafter_setup_themesrc/App/Controller/BootstrapController.php:96
actioninitsrc/App/Controller/BootstrapController.php:97
actioninitsrc/App/Controller/BootstrapController.php:131
actioninitsrc/App/Controller/BootstrapController.php:196
actioninitsrc/App/Controller/BootstrapController.php:203
actionadmin_initsrc/App/Controller/BootstrapController.php:210
actioninitsrc/App/Controller/BootstrapController.php:217
filteruse_block_editor_for_post_typesrc/App/Controller/BootstrapController.php:221
actioninitsrc/App/Controller/BootstrapController.php:229
actioninitsrc/App/Controller/BootstrapController.php:233
actiontemplate_redirectsrc/App/Controller/BootstrapController.php:235
actionpre_http_requestsrc/App/Controller/BootstrapController.php:241
actioninitsrc/App/Controller/BootstrapController.php:246
filterget_the_excerptsrc/App/Controller/BootstrapController.php:250
filterrobots_txtsrc/App/Controller/BootstrapController.php:254
filterosec_dbi_debugsrc/App/Controller/BootstrapController.php:258
actionupdated_optionsrc/App/Controller/BootstrapController.php:287
actioncurrent_screensrc/App/Controller/BootstrapController.php:343
actionadmin_menusrc/App/Controller/BootstrapController.php:362
actionnetwork_admin_noticessrc/App/Controller/BootstrapController.php:374
actionadmin_noticessrc/App/Controller/BootstrapController.php:381
filterpost_row_actionssrc/App/Controller/BootstrapController.php:388
actionadd_meta_boxessrc/App/Controller/BootstrapController.php:392
actionedit_form_after_titlesrc/App/Controller/BootstrapController.php:405
filterwp_insert_post_datasrc/App/Controller/BootstrapController.php:421
filterpost_updated_messagessrc/App/Controller/BootstrapController.php:430
actionadmin_enqueue_scriptssrc/App/Controller/BootstrapController.php:450
actionafter_setup_themesrc/App/Controller/BootstrapController.php:462
actionthe_postsrc/App/Controller/BootstrapController.php:469
actionsend_headerssrc/App/Controller/BootstrapController.php:478
actionosec_loadedsrc/App/Controller/DatabaseController.php:47
actionwp_headsrc/App/Controller/FrontendCssController.php:223
actionwp_headsrc/App/Controller/FrontendCssController.php:258
actionrest_api_initsrc/App/Controller/RestController.php:15
filterrewrite_rules_arraysrc/App/Controller/Router.php:150
filterai1ec_settings_initiatedsrc/App/Controller/Scheduler.php:59
actionwp_loadedsrc/App/Controller/ScriptsFrontendController.php:118
actioninitsrc/App/Controller/ScriptsFrontendController.php:126
actiondelete_postsrc/App/Controller/TrashController.php:30
actiondelete_postsrc/App/Controller/TrashController.php:38
actiontrashed_postsrc/App/Controller/TrashController.php:47
actionuntrashed_postsrc/App/Controller/TrashController.php:56
filterthe_contentsrc/App/Model/ContentFilterBypassHelper.php:77
actionadmin_action_editpostsrc/App/Model/PostTypeEvent/EventParent.php:33
filteruser_has_capsrc/App/Model/PostTypeEvent/EventParent.php:42
actionpost_row_actionssrc/App/Model/PostTypeEvent/EventParent.php:52
actionosec_events_categories_add_form_fieldssrc/App/View/Admin/AdminEventCategoryHooks.php:29
actionosec_events_categories_edit_form_fieldssrc/App/View/Admin/AdminEventCategoryHooks.php:36
actioncreated_osec_events_categoriessrc/App/View/Admin/AdminEventCategoryHooks.php:43
actionedited_osec_events_categoriessrc/App/View/Admin/AdminEventCategoryHooks.php:50
actionmanage_edit-osec_events_categories_columnssrc/App/View/Admin/AdminEventCategoryHooks.php:57
actionmanage_osec_events_categories_custom_columnsrc/App/View/Admin/AdminEventCategoryHooks.php:64
filterget_post_metadatasrc/App/View/Admin/AdminEventCategoryHooks.php:76
actionedit_form_after_titlesrc/App/View/Admin/AdminPageAddEvent.php:45
filterprint_scripts_arraysrc/App/View/Admin/AdminPageAddEvent.php:227
actionrestrict_manage_postssrc/App/View/Admin/AdminPageAllEvents.php:31
actionparse_querysrc/App/View/Admin/AdminPageAllEvents.php:37
filterposts_orderbysrc/App/View/Admin/AdminPageAllEvents.php:65
filterrender_blocksrc/App/View/Event/EventSingleView.php:28
filterthe_contentsrc/App/View/Event/EventSingleView.php:60
filterqtranslate_languagesrc/App/WpmlHelper.php:33
actioninitsrc/App/WpmlHelper.php:304
filteruse_streams_transportsrc/Http/Request/Request.php:102
filterthe_contentsrc/Http/Response/RenderHtml.php:58
filterthe_contentsrc/Http/Response/RenderHtml.php:63
filterosec_twig_add_debugsrc/Theme/ThemeCompiler.php:29
filtertheme_root_urisrc/Theme/ThemeFinder.php:88
filterwp_cache_themes_persistentlysrc/Theme/ThemeFinder.php:109
Maintenance & Trust

Open Source Event Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 27, 2026
PHP min version8.2
Downloads336

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Open Source Event Calendar Alternatives

ICS Calendar

ICS Calendar

ics-calendar

A
99

Add the calendar you already use to Any WordPress site! Google Calendar, Microsoft 365, iCloud and more… no API keys or complicated setup required.

10K 1 CVE
Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar

booking-manager

A
95

Showing events listing from .ics feeds or sync bookings from different sources to your website

5K 4 CVEs
Hydrogen Calendar Embeds

Hydrogen Calendar Embeds

hydrogen-calendar-embeds

A
100

The free, simple, lightweight way to embed beautiful, fully customizable ICS calendars into your WordPress site.

700 No CVEs
Event – Add to Calendar

Event – Add to Calendar

evtcal-add-to-calendar

A
100

Add customizable "Add to Calendar" buttons to your WordPress site with support for Google Calendar, Outlook, Apple Calendar, and more.

30 No CVEs
AppsByAdie Events Pro

AppsByAdie Events Pro

appsbyadie-events-pro

A
100

A lightweight, secure event management system with built-in ICS "Add to Calendar" support and customizable admin styles.

0 No CVEs
Developer Profile

Open Source Event Calendar Developer Profile

digitaldonkey

3 plugins · 80 total installs

77
trust score
Avg Security Score
76/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Open Source Event Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/open-source-event-calendar/calendar_block/build/index.js/wp-content/plugins/open-source-event-calendar/calendar_block/build/index.css/wp-content/plugins/open-source-event-calendar/calendar_block/build/style-index.css/wp-content/plugins/open-source-event-calendar/assets/css/osec-frontend.css/wp-content/plugins/open-source-event-calendar/assets/js/osec-frontend.js/wp-content/plugins/open-source-event-calendar/assets/js/frontend/osec-frontend.js
Script Paths
/wp-content/plugins/open-source-event-calendar/calendar_block/build/index.js/wp-content/plugins/open-source-event-calendar/assets/js/osec-frontend.js/wp-content/plugins/open-source-event-calendar/assets/js/frontend/osec-frontend.js
Version Parameters
open-source-event-calendar/calendar_block/build/index.js?ver=open-source-event-calendar/calendar_block/build/index.css?ver=open-source-event-calendar/calendar_block/build/style-index.css?ver=open-source-event-calendar/assets/css/osec-frontend.css?ver=open-source-event-calendar/assets/js/osec-frontend.js?ver=open-source-event-calendar/assets/js/frontend/osec-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
osec-calendar-viewosec-calendar-day-eventosec-calendar-day-event-detailsosec-calendar-modalosec-calendar-modal-headerosec-calendar-modal-bodyosec-calendar-modal-footerosec-calendar-filter-bar+15 more
HTML Comments
<!-- Autosaving Event Data does not currently work.EventEditing->save_post() is not receiving Event Data.
Data Attributes
data-osec-viewdata-osec-post-idsdata-osec-display-filtersdata-osec-display-subscribedata-osec-agenda-toggledata-osec-display-view-switch+3 more
JS Globals
osec_frontend_dataOSEventCalendarosecCalendar
REST Endpoints
/wp-json/osec/v1/events/wp-json/osec/v1/categories/wp-json/osec/v1/tags/wp-json/osec/v1/locations/wp-json/osec/v1/organizers
Shortcode Output
[osec-calendar][osec-calendar-list][osec-calendar-agenda]
FAQ

Frequently Asked Questions about Open Source Event Calendar