Google Calendar Widget & Short Code Security & Risk Analysis
wordpress.org/plugins/wpgcalAdds a widget and shortcode to display or embed Google Calendars in WordPress.
Is Google Calendar Widget & Short Code Safe to Use in 2026?
Generally Safe
Score 85/100Google Calendar Widget & Short Code has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "wpgcal" valpha 2 plugin exhibits a generally positive security posture, with no known vulnerabilities or critical security signals detected in the static analysis. The absence of dangerous functions, file operations, external HTTP requests, and the exclusive use of prepared statements for SQL queries are all strong indicators of good security practices. The limited attack surface, consisting of only one shortcode with no immediately apparent unprotected entry points, further contributes to its secure profile.
However, a significant concern arises from the low percentage of properly escaped output. With 43 total outputs and only 12% properly escaped, there is a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. This is a critical weakness that could be exploited to inject malicious scripts into pages rendered by the plugin. The lack of nonce checks and capability checks, while not directly linked to the current findings, could also become a concern if new entry points or functionalities are added without proper authorization validation in the future.
In conclusion, while "wpgcal" valpha 2 is free from known malware, vulnerabilities, and major code-level risks like SQL injection or dangerous function usage, the prevalent unescaped output poses a substantial XSS risk. Addressing this output escaping issue should be the highest priority to improve the plugin's overall security.
Key Concerns
- Low output escaping percentage
- No nonce checks
- No capability checks
Google Calendar Widget & Short Code Security Vulnerabilities
Google Calendar Widget & Short Code Code Analysis
Output Escaping
Google Calendar Widget & Short Code Attack Surface
Shortcodes 1
WordPress Hooks 4
Maintenance & Trust
Google Calendar Widget & Short Code Maintenance & Trust
Maintenance Signals
Community Trust
Google Calendar Widget & Short Code Alternatives
Apollo13 Framework Extensions
apollo13-framework-extensions
Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.
Weaver Xtreme Theme Support
weaverx-theme-support
A useful shortcode and widget collection for Weaver Xtreme
Popularis Extra
popularis-extra
Popularis Extra add extra features to Popularis theme like demo import, widgets, shortcodes or Elementor widgets.
Disable Author Pages
disable-author-pages
Disable the author pages
Series
series
Plugin that allows you to collect posts in a series.
Google Calendar Widget & Short Code Developer Profile
7 plugins · 290 total installs
How We Detect Google Calendar Widget & Short Code
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
HTML / DOM Fingerprints
widget_gcal an example embed code:
* <iframe src="http://www.google.com/calendar/embed?height=600&wkst=1&bgcolor=%23FFFFFF&src=enk2sgfhkhrjqs57kqb5o1rb91r82rbo%40import.calendar.google.com&color=%235A6986&ctz=America%2FNew_York" style=" border-width:0 " width="500" height="600" frameborder="0" scrolling="no"></iframe>
THIS WORKS //
if( preg_match( '/' . preg_quote(addslashes(htmlspecialchars($parsed['embed'], ENT_NOQUOTES)), '/') . '/' , $content ))
replace google calendar iframe tag with shortcode
+9 moregcaltitleembedsrcwidthheight+3 more[gcal