Does Spiffy Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in Spiffy Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Spiffy Calendar compatible with WordPress 6.9.4?

According to WordPress.org data, Spiffy Calendar 5.0.8 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Spiffy Calendar updated?

Spiffy Calendar was last updated on Dec 11, 2025. Frequent updates are generally a positive security signal.

What is Spiffy Calendar's security score?

Spiffy Calendar has a WP-Safety security score of 86/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Spiffy Calendar Security & Risk Analysis

wordpress.org/plugins/spiffy-calendar

Manage and display your events in a responsive calendar with multiple views, widgets and shortcodes. Color-coded categories and recurrence support.

3K active installs v5.0.8 PHP + WP 5.3+ Updated Dec 11, 2025

blockcalendareventrecurringresponsive

A · Safe

CVEs total14

Unpatched0

Last CVEJan 5, 2026

Plugin page Download

Safety Verdict

Is Spiffy Calendar Safe to Use in 2026?

Generally Safe

Score 86/100

Spiffy Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

14 known CVEsLast CVE: Jan 5, 2026Updated 3mo ago

Risk Assessment

The spiffy-calendar plugin v5.0.8 presents a mixed security posture. While the static analysis shows promising signs like a complete absence of critical taint flows, a significant percentage of SQL queries using prepared statements, and no file operations or external HTTP requests, several areas raise concern. The lack of explicit authorization checks on any of the entry points (AJAX, REST API) is a significant weakness, as is the fact that 43% of output is not properly escaped, creating a potential for Cross-Site Scripting vulnerabilities. The plugin's vulnerability history is particularly troubling, with 14 known CVEs, including a critical and a high severity vulnerability. The common types of past vulnerabilities (XSS, authorization issues, SQL injection) directly correlate with the observed weaknesses in the code analysis, particularly the unescaped output and the lack of authorization checks. Despite the current version showing no *unpatched* CVEs, the historical pattern of severe vulnerabilities indicates a persistent tendency towards security flaws. The plugin's strengths lie in its avoidance of common risky practices like raw SQL and external requests, but the significant amount of unescaped output and the historical vulnerability profile necessitate caution.

Key Concerns

Significant percentage of unescaped output
No authorization checks on AJAX handlers
No permission callbacks on REST API routes
14 known CVEs historically
1 critical severity vulnerability historically
1 high severity vulnerability historically

Vulnerabilities

Spiffy Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2017

2017

3 CVEs in 2022

2022

2 CVEs in 2023

2023

7 CVEs in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

14 total CVEs

CVE-2025-68523medium · 4.3Missing Authorization

Spiffy Calendar <= 5.0.7 - Missing Authorization

Jan 5, 2026 Patched in 5.0.8 (10d)

CVE-2024-45458medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spiffy Calendar <= 4.9.13 - Reflected Cross-Site Scripting

Sep 12, 2024 Patched in 4.9.14 (7d)

CVE-2024-45457medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spiffy Calendar <= 4.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 12, 2024 Patched in 4.9.14 (7d)

CVE-2024-43969medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Spiffy Calendar <= 4.9.12 - Authenticated (Admin+) SQL Injection

Aug 28, 2024 Patched in 4.9.13 (38d)

CVE-2024-38692critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Spiffy Calendar <= 4.9.11 - Authenticated (Administrator+) SQL Injection

Jul 10, 2024 Patched in 4.9.12 (9d)

CVE-2024-30528medium · 4.3Missing Authorization

Spiffy Calendar <= 4.9.10 - Missing Authorization

Mar 29, 2024 Patched in 4.9.11 (6d)

CVE-2024-30427medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spiffy Calendar <= 4.9.7 - Reflected Cross-Site Scripting

Mar 28, 2024 Patched in 4.9.10 (7d)

CVE-2024-0855medium · 4.3Incorrect Authorization

Spiffy Calendar <= 4.9.8 - Insufficient Authorization

Jan 12, 2024 Patched in 4.9.9 (71d)

CVE-2023-49745medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spiffy Calendar <= 4.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 1, 2023 Patched in 4.9.6 (53d)

CVE-2023-32122medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spiffy Calendar <= 4.9.3 - Reflected Cross-Site Scripting via page parameter

May 3, 2023 Patched in 4.9.4 (265d)

CVE-2022-46859high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Spiffy Calendar <= 4.9.1 - Authenticated (Contributor+) SQL Injection

Dec 16, 2022 Patched in 4.9.2 (403d)

CVE-2022-29434medium · 6.3Authorization Bypass Through User-Controlled Key

Spiffy Calendar <= 4.9.0 - Edit/Delete event via IDOR

Feb 10, 2022 Patched in 4.9.1 (711d)

CVE-2022-25599medium · 5.4Cross-Site Request Forgery (CSRF)

Spiffy Calendar <= 4.9.0 - Event deletion via Cross-Site Request Forgery

Feb 10, 2022 Patched in 4.9.1 (712d)

CVE-2017-9420medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spiffy Calendar < 3.3.0 - Reflected Cross-Site Scripting

Jun 2, 2017 Patched in 3.3.0 (2426d)

Code Analysis

Analyzed Mar 16, 2026

Spiffy Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

20 prepared

Unescaped Output

167

217 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

77% prepared26 total queries

Output Escaping

57% escaped384 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

events_admin_buttons (includes\admin\custom-posts.php:298)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Spiffy Calendar Attack Surface

Entry Points5

Unprotected0

Shortcodes 5

[spiffy-calendar] spiffy-calendar.php:92

[spiffy-minical] spiffy-calendar.php:93

[spiffy-upcoming-list] spiffy-calendar.php:94

[spiffy-todays-list] spiffy-calendar.php:95

[spiffy-week] spiffy-calendar.php:96

WordPress Hooks 47

actioninitincludes\admin\custom-posts.php:43

actionspiffy_categories_edit_form_fieldsincludes\admin\custom-posts.php:48

actionspiffy_categories_add_form_fieldsincludes\admin\custom-posts.php:49

actionedited_spiffy_categoriesincludes\admin\custom-posts.php:50

actioncreated_spiffy_categoriesincludes\admin\custom-posts.php:51

actionadmin_initincludes\admin\custom-posts.php:53

filterviews_edit-spiffy_eventincludes\admin\custom-posts.php:55

actionrestrict_manage_postsincludes\admin\custom-posts.php:57

filtermonths_dropdown_resultsincludes\admin\custom-posts.php:58

filterpost_row_actionsincludes\admin\custom-posts.php:59

filterpost_column_taxonomy_linksincludes\admin\custom-posts.php:60

filterdefault_hidden_columnsincludes\admin\custom-posts.php:61

actionquick_edit_custom_boxincludes\admin\custom-posts.php:63

actionadmin_footerincludes\admin\custom-posts.php:64

actionadmin_action_spiffy_copy_eventincludes\admin\custom-posts.php:66

actionpre_get_postsincludes\admin\custom-posts.php:67

actionwp_loadedincludes\admin\custom-posts.php:83

filtermanage_spiffy_event_posts_columnsincludes\admin\custom-posts.php:178

filtermanage_edit-spiffy_event_sortable_columnsincludes\admin\custom-posts.php:181

actionmanage_spiffy_event_posts_custom_columnincludes\admin\custom-posts.php:184

actionpre_get_postsincludes\admin\custom-posts.php:187

actioninitincludes\admin\meta-boxes.php:17

actionadd_meta_boxesincludes\admin\meta-boxes.php:18

actionsave_postincludes\admin\meta-boxes.php:19

actionmedia_buttonsincludes\shortcode-buttons.php:18

actionadmin_headincludes\shortcode-buttons.php:21

actionadmin_footerincludes\shortcode-buttons.php:37

actionwidgets_initincludes\spiffy-featured-widget.php:9

actionwidgets_initincludes\spiffy-minical-widget.php:9

actionwidgets_initincludes\spiffy-today-widget.php:9

actionwidgets_initincludes\spiffy-upcoming-widget.php:9

filterthe_contentincludes\views.php:19

actioninitspiffy-calendar.php:74

actionadmin_menuspiffy-calendar.php:75

actionadmin_bar_menuspiffy-calendar.php:76

filterspiffycal_settings_tabs_arrayspiffy-calendar.php:78

actionspiffycal_settings_tab_themespiffy-calendar.php:81

actionspiffycal_settings_tab_frontend_submitspiffy-calendar.php:82

actionspiffycal_settings_tab_custom_fieldsspiffy-calendar.php:83

actionspiffycal_settings_tab_settingsspiffy-calendar.php:85

actionspiffycal_settings_update_settingsspiffy-calendar.php:86

actionadmin_enqueue_scriptsspiffy-calendar.php:88

actionwp_enqueue_scriptsspiffy-calendar.php:91

filterwysija_shortcodesspiffy-calendar.php:99

filtermailpoet_newsletter_shortcodespiffy-calendar.php:100

filterset-screen-optionspiffy-calendar.php:104

actionadmin_noticesspiffy-calendar.php:158

Maintenance & Trust

Spiffy Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 11, 2025

PHP min version

Downloads201K

Community Trust

Rating98/100

Number of ratings38

Active installs3K

Alternatives

Spiffy Calendar Alternatives

Events Block For The Events Calendar

events-block-for-the-events-calendar

100

The Events Block for The Events Calendar lets you showcase your events from The Events Calendar right within the Gutenberg pages.

2K No CVEs

Simple Google Calendar Outlook Events Widget

simple-google-icalendar-widget

Block widget that displays events from a public google calendar or iCal file.

1K 1 CVE

Slider Addons for The Events Calendar

tecslider

Slider Blocks to showcase your events.

300 No CVEs

CitySpark Events and Embeds

cityspark-events-and-embeds

100

50 No CVEs

L Events Calendar

l-events-calendar

A beautiful responsive calendar. Manage events with ease and simplicity.

10 No CVEs

Developer Profile

Spiffy Calendar Developer Profile

Spiffy Plugins

2 plugins · 4K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

280 days

View full developer profile

Detection Fingerprints

How We Detect Spiffy Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/spiffy-calendar/css/style.css/wp-content/plugins/spiffy-calendar/css/fullcalendar.css/wp-content/plugins/spiffy-calendar/css/custom.css/wp-content/plugins/spiffy-calendar/css/spiffy-admin.css/wp-content/plugins/spiffy-calendar/js/spiffy-calendar.js/wp-content/plugins/spiffy-calendar/js/spiffy-calendar-admin.js/wp-content/plugins/spiffy-calendar/js/fullcalendar.min.js/wp-content/plugins/spiffy-calendar/js/moment.min.js

Script Paths

/wp-content/plugins/spiffy-calendar/js/spiffy-calendar.js/wp-content/plugins/spiffy-calendar/js/spiffy-calendar-admin.js/wp-content/plugins/spiffy-calendar/js/fullcalendar.min.js/wp-content/plugins/spiffy-calendar/js/moment.min.js

Version Parameters

spiffy-calendar/css/style.css?ver=spiffy-calendar/css/fullcalendar.css?ver=spiffy-calendar/css/custom.css?ver=spiffy-calendar/css/spiffy-admin.css?ver=spiffy-calendar/js/spiffy-calendar.js?ver=spiffy-calendar/js/spiffy-calendar-admin.js?ver=spiffy-calendar/js/fullcalendar.min.js?ver=spiffy-calendar/js/moment.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

spiffy-calendar-containerspiffy-calendar-frontendspiffy-calendar-event-listspiffy-calendar-admin-wrapperspiffy-calendar-admin-navspiffy-calendar-widgetspiffy-minicalspiffy-upcoming-list+2 more

HTML Comments

Data Attributes

data-spiffy-calendar-iddata-spiffy-calendar-optiondata-spiffy-calendar-event

JS Globals

spiffy_calendar_settingsspiffy_calendar_vars

REST Endpoints

/wp-json/spiffy-calendar/v1/events/wp-json/spiffy-calendar/v1/settings

Shortcode Output

<div class="spiffy-calendar-container"><div class="spiffy-calendar-frontend"><div class="spiffy-calendar-event-list"><div class="spiffy-minical">

FAQ