| CVE-2026-3585 | The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import | stellarwp | The Events Calendar | High | 7.5 | 2026-03-10 03:33:51 | Deep Dive |
| CVE-2026-1919 | Booktics <= 1.0.16 - Missing Authorization to Get Items via REST API endpoints | arraytics | Booktics – Booking Calendar for Appointments and Service Businesses | Medium | 5.3 | 2026-03-10 02:21:50 | Deep Dive |
| CVE-2026-1920 | Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation | arraytics | Booktics – Booking Calendar for Appointments and Service Businesses | Medium | 5.3 | 2026-03-10 02:21:49 | Deep Dive |
| CVE-2026-1902 | Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute | innovaatik | Hammas Calendar | Medium | 6.4 | 2026-03-07 01:21:21 | Deep Dive |
| CVE-2026-29052 | HumHub Calendar Module: Stored XSS in Event Types | humhub | calendar | 中危 | - | 2026-03-05 05:48:11 | Deep Dive |
| CVE-2026-2355 | My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | joedolson | My Calendar – Accessible Event Manager | Medium | 6.4 | 2026-03-04 11:22:30 | Deep Dive |
| CVE-2026-1487 | LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import | latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events | Medium | 6.5 | 2026-03-03 01:21:51 | Deep Dive |
| CVE-2026-1566 | LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation | latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events | High | 8.8 | 2026-03-02 23:22:56 | Deep Dive |
| CVE-2026-2694 | The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API | stellarwp | The Events Calendar | Medium | 5.4 | 2026-02-25 21:25:02 | Deep Dive |
| CVE-2026-0556 | XO Event Calendar <= 3.2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xo_event_field' shortcode | ishitaka | XO Event Calendar | Medium | 6.4 | 2026-02-19 04:36:14 | Deep Dive |
| CVE-2026-2230 | Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification | wpdevelop | Booking Calendar | Medium | 4.3 | 2026-02-18 16:28:15 | Deep Dive |
| CVE-2026-1941 | WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | xylus | WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar | Medium | 6.4 | 2026-02-18 08:26:03 | Deep Dive |
| CVE-2026-1655 | EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter | metagauss | EventPrime – Events Calendar, Bookings and Tickets | Medium | 4.3 | 2026-02-18 07:25:40 | Deep Dive |
| CVE-2026-1657 | EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint | metagauss | EventPrime – Events Calendar, Bookings and Tickets | Medium | 5.3 | 2026-02-17 05:29:53 | Deep Dive |
| CVE-2025-14873 | LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery | latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events | Medium | 4.3 | 2026-02-14 06:42:27 | Deep Dive |
| CVE-2026-1932 | Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification | bssoftware | Appointment Booking Calendar Plugin – Bookr | Medium | 5.3 | 2026-02-14 05:54:12 | Deep Dive |
| CVE-2026-1537 | LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure | latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events | Medium | 5.3 | 2026-02-12 02:23:25 | Deep Dive |
| CVE-2026-1922 | The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | brianhogg | The Events Calendar Shortcode & Block | Medium | 6.4 | 2026-02-10 09:26:06 | Deep Dive |
| CVE-2026-24988 | WordPress The Events Calendar Shortcode & Block plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability | Brian Hogg | The Events Calendar Shortcode & Block | - | - | 2026-02-03 14:08:37 | Deep Dive |
| CVE-2026-0617 | LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting | latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events | High | 7.2 | 2026-02-03 06:38:02 | Deep Dive |