Theeventscalendar

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-1402 1Theeventscalendar 1Event Tickets Jun 17, 2026 Feb 21, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. Th...Show more The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary Attendee tickets.Show less
CVE-2024-12118 1Theeventscalendar 1The Events Calendar Jun 17, 2026 Jan 23, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, and including, 6.9.0 due to insufficient...Show more The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2024-8016 1Theeventscalendar 1Events Calendar Pro Jun 17, 2026 Aug 30, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it...Show more The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.Show less
CVE-2021-25025 1Theeventscalendar 1Eventcalendar Jun 17, 2026 Jan 17, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events
CVE-2021-25024 1Theeventscalendar 1Eventcalendar Jun 17, 2026 Jan 17, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues
CVE-2015-5485 1Theeventscalendar 1Eventbrite Tickets May 6, 2026 Aug 18, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to inject arbitrary web s...Show more Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php.Show less