The Events Calendar Shortcode & Block Security & Risk Analysis

The plugin "the-events-calendar-shortcode" v3.1.3 demonstrates a generally good security posture with several positive indicators. Notably, all identified entry points, including AJAX handlers, REST API routes, shortcodes, and cron events, appear to have authentication checks in place. The code also makes extensive use of prepared statements for SQL queries, indicating a strong defense against SQL injection. Output escaping is also largely implemented, with 84% of outputs being properly handled. However, a significant concern lies in its vulnerability history. The plugin has two known medium-severity CVEs, both related to Cross-Site Scripting (XSS), and the last recorded vulnerability was in early 2026, which is concerning as it suggests a pattern of past security weaknesses. While the current version's static analysis shows no critical or high severity issues, and no unsanitized taint flows, the historical context of XSS vulnerabilities warrants caution. The presence of file operations and external HTTP requests, while not inherently insecure, are potential vectors that require careful scrutiny in future analyses or if new vulnerabilities emerge. Overall, the plugin has strengths in secure coding practices, but its past vulnerability record necessitates ongoing vigilance.