Does WP FullCalendar have any unpatched vulnerabilities?

Yes — WP FullCalendar currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is WP FullCalendar compatible with WordPress 6.8.5?

According to WordPress.org data, WP FullCalendar 1.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is WP FullCalendar updated?

WP FullCalendar was last updated on Apr 23, 2025. Frequent updates are generally a positive security signal.

What is WP FullCalendar's security score?

WP FullCalendar has a WP-Safety security score of 52/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP FullCalendar Security & Risk Analysis

wordpress.org/plugins/wp-fullcalendar

Uses the FullCalendar library to create a stunning calendar view of events, posts and other custom post types

9K active installs v1.6 PHP + WP 3.6+ Updated Apr 23, 2025

ajax-calendarcalendarcalendarsevent-calendarsevents-calendar

C · Use Caution

CVEs total4

Unpatched2

Last CVEFeb 11, 2026

Plugin page Download

Safety Verdict

Is WP FullCalendar Safe to Use in 2026?

Use With Caution

Score 52/100

WP FullCalendar has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

4 known CVEs 2 unpatched Last CVE: Feb 11, 2026Updated 11mo ago

Risk Assessment

The wp-fullcalendar plugin v1.6 presents a moderate security risk due to a combination of static analysis findings and a concerning vulnerability history. While the code shows positive signs such as 100% prepared SQL statements and a high percentage of properly escaped output, the presence of two AJAX handlers without authentication checks is a significant concern. This could allow unauthenticated users to trigger potentially harmful actions.

The plugin's vulnerability history is a more substantial red flag, with a total of four known CVEs, two of which remain unpatched. The common vulnerability types including Exposure of Sensitive Information, Cross-site Scripting, and Missing Authorization suggest recurring security weaknesses that have not been fully addressed. The fact that the most recent vulnerability was dated in 2026, albeit a future date, implies a pattern of unresolved security issues that could be exploited.

Overall, while the codebase exhibits some good security practices, the unpatched vulnerabilities and unprotected entry points create a notable risk. Users should proceed with caution and prioritize updating to versions that address these known security flaws. The plugin's strengths in SQL sanitization and output escaping are overshadowed by the historical and present risks.

Key Concerns

Unpatched CVEs found
AJAX handlers without auth checks
Missing authorization in vulnerability history
Cross-site Scripting in vulnerability history
Exposure of Sensitive Information in vulnerability history

Vulnerabilities

WP FullCalendar Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

2 CVEs in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2026-22351medium · 5.3Missing Authorization

FullCalendar <= 1.6 - Missing Authorization

Feb 11, 2026Unpatched

CVE-2026-24523medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

FullCalendar <= 1.6 - Unauthenticated Information Exposure

Jan 26, 2026Unpatched

CVE-2025-22261medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP FullCalendar <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 6, 2025 Patched in 1.6 (51d)

CVE-2022-3891medium · 6.5Missing Authorization

WP FullCalendar <= 1.4.1 - Missing Authorization to Information Disclosure

Jan 17, 2023 Patched in 1.5 (371d)

Code Analysis

Analyzed Mar 16, 2026

WP FullCalendar Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

121 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

92% escaped131 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

qtip_content (wp-fullcalendar.php:238)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

WP FullCalendar Attack Surface

Entry Points6

Unprotected2

AJAX Handlers 4

authwp_ajax_WP_FullCalendarwp-fullcalendar.php:43

noprivwp_ajax_WP_FullCalendarwp-fullcalendar.php:44

authwp_ajax_wpfc_qtip_contentwp-fullcalendar.php:45

noprivwp_ajax_wpfc_qtip_contentwp-fullcalendar.php:46

Shortcodes 2

[fullcalendar] wp-fullcalendar.php:37

[events_fullcalendar] wp-fullcalendar.php:38

WordPress Hooks 8

actionwp_enqueue_scriptswp-fullcalendar.php:35

filterposts_wherewp-fullcalendar.php:201

actionwp_footerwp-fullcalendar.php:271

actionplugins_loadedwp-fullcalendar.php:343

filterem_org_dev_versionswp-fullcalendar.php:354

actionadmin_menuwpfc-admin.php:278

actionadmin_noticeswpfc-events-manager.php:10

actionnetwork_admin_noticeswpfc-events-manager.php:11

Maintenance & Trust

WP FullCalendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 23, 2025

PHP min version

Downloads208K

Community Trust

Rating94/100

Number of ratings96

Active installs9K

Alternatives

WP FullCalendar Alternatives

ChronoFlo Calendar ShortCode

chronoflo-calendar-shortcode

ChronoFlo Calendar is a beautiful events calendar offering unrivalled visual customization. This plugin provides a shortcode to embed a ChronoFlo cale …

30 No CVEs

BeatGig WordPress Plugin

beatgig-calendar-embed

100

BeatGig's event calendar is a modern, beautiful calendar that embeds directly onto your website. When you book new shows on BeatGig, your website …

10 No CVEs

Timetable and Event Schedule by MotoPress

mp-timetable

Smart event organizer and time-management tool with a clean minimalist design for featuring your timetables and upcoming events.

30K 8 CVEs

Event Organiser

event-organiser

Create and maintain events, including complex reoccurring patterns, venue management (with Google Maps or OpenStreetMap), calendars and customisable e …

20K 1 unpatched

The Events Calendar Shortcode & Block

the-events-calendar-shortcode

Add shortcode, block, Elementor and Bricks functionality to The Events Calendar Plugin, so you can easily list and promote your events anywhere.

20K 2 CVEs

Developer Profile

WP FullCalendar Developer Profile

Marcus (aka @msykes)

13 plugins · 176K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

1423 days

View full developer profile

Detection Fingerprints

How We Detect WP FullCalendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-fullcalendar/includes/css/main.css/wp-content/plugins/wp-fullcalendar/includes/js/main.js

Script Paths

/wp-content/plugins/wp-fullcalendar/includes/js/fullcalendar.js/wp-content/plugins/wp-fullcalendar/includes/js/popper.js/wp-content/plugins/wp-fullcalendar/includes/js/tippy.js/wp-content/plugins/wp-fullcalendar/includes/js/main.js

Version Parameters

wp-fullcalendar/includes/css/main.css?ver=wp-fullcalendar/includes/js/main.js?ver=wp-fullcalendar/includes/js/fullcalendar.js?ver=wp-fullcalendar/includes/js/popper.js?ver=wp-fullcalendar/includes/js/tippy.js?ver=

HTML / DOM Fingerprints

JS Globals

wp_fullcalendar_params

REST Endpoints

/wp-json/wp-fullcalendar/

Shortcode Output

[fullcalendar][events_fullcalendar]

FAQ