| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-1431 | Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure | wpdevelop | Booking Calendar | Medium | 5.3 | 2026-01-31 04:35:15 | Deep Dive |
| CVE-2026-1310 | Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion | migaweb | Simple calendar for Elementor | Medium | 5.3 | 2026-01-28 06:43:45 | Deep Dive |
| CVE-2026-1083 | Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration | codepeople | Appointment Hour Booking – Booking Calendar | Medium | 4.4 | 2026-01-28 05:30:19 | Deep Dive |
| CVE-2026-24636 | WordPress Sugar Calendar (Lite) plugin <= 3.9.1 - Broken Access Control vulnerability | Syed Balkhi | Sugar Calendar (Lite) | Medium | 4.3 | 2026-01-23 14:29:09 | Deep Dive |
| CVE-2025-15043 | The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control | stellarwp | The Events Calendar | Medium | 5.4 | 2026-01-20 14:26:33 | Deep Dive |
| CVE-2025-14982 | Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure | wpdevelop | Booking Calendar | Medium | 4.3 | 2026-01-16 04:44:33 | Deep Dive |
| CVE-2025-12166 | Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters | croixhaug | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | High | 7.5 | 2026-01-14 22:23:51 | Deep Dive |
| CVE-2025-14507 | EventPrime - Events Calendar, Bookings and Tickets <= 4.2.7.0 - Unauthenticated Sensitive Information Exposure via REST API | metagauss | EventPrime – Events Calendar, Bookings and Tickets | Medium | 5.3 | 2026-01-13 13:49:13 | Deep Dive |
| CVE-2025-14657 | Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings' | arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) | High | 7.2 | 2026-01-09 07:22:13 | Deep Dive |
| CVE-2025-14146 | Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure | wpdevelop | Booking Calendar | Medium | 5.3 | 2026-01-09 07:22:10 | Deep Dive |
| CVE-2025-14720 | Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Missing Authorization to Unauthenticated Multiple AJAX Actions | ameliabooking | Booking for Appointments and Events Calendar – Amelia | Medium | 5.3 | 2026-01-09 06:34:54 | Deep Dive |
| CVE-2025-69352 | WordPress The Events Calendar plugin <= 6.15.12.2 - Broken Access Control vulnerability | StellarWP | The Events Calendar | Medium | 5.4 | 2026-01-06 16:36:41 | Deep Dive |
| CVE-2025-69348 | WordPress The Events Calendar Countdown Addon plugin <= 1.4.15 - Broken Access Control vulnerability | CoolHappy | The Events Calendar Countdown Addon | Medium | 4.3 | 2026-01-06 16:36:40 | Deep Dive |
| CVE-2025-5919 | Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification | arraytics | Timetics – Appointment Booking & Scheduling | Medium | 6.5 | 2026-01-06 08:21:50 | Deep Dive |
| CVE-2025-11723 | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure | croixhaug | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | Medium | 6.5 | 2026-01-06 03:21:39 | Deep Dive |
| CVE-2025-68979 | WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability | SimpleCalendar | Google Calendar Events | Medium | 5.3 | 2025-12-30 10:47:49 | Deep Dive |
| CVE-2025-68603 | WordPress Editorial Calendar plugin <= 3.8.8 - Broken Access Control vulnerability | Marketing Fire | Editorial Calendar | Medium | 5.4 | 2025-12-24 13:10:48 | Deep Dive |
| CVE-2025-68523 | WordPress Spiffy Calendar plugin <= 5.0.7 - Broken Access Control vulnerability | Spiffy Plugins | Spiffy Calendar | Medium | 4.3 | 2025-12-24 12:31:24 | Deep Dive |
| CVE-2025-14548 | Calendar <= 1.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'event_desc' | kieranoshea | Calendar | Medium | 6.4 | 2025-12-23 09:20:01 | Deep Dive |
| CVE-2025-12898 | Pretty Google Calendar <= 2.0.0 - Missing Authorization to Unauthenticated Google API Key Exposure | lbell | Pretty Google Calendar | Medium | 5.3 | 2025-12-20 03:20:22 | Deep Dive |