CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12118 – The Events Calendar <= 6.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-12118
22 Jan 2025 — The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Events Calendar para WordPress es vulnerab... • https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.8.1/src/Events/Integrations/Plugins/Elementor/Widgets/Event_Calendar_Link.php#L90 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5333 – The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure
https://notcve.org/view.php?id=CVE-2024-5333
25 Nov 2024 — The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events. The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.8.2 via the /wp-json/tribe/events/v1/events/ REST API due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password pro... • https://wpscan.com/vulnerability/764b5a23-8b51-4882-b899-beb54f684984 • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2024-8275 – The Events Calendar <= 6.6.4 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-8275
24 Sep 2024 — The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only sites that have... • https://github.com/nothe1senberg/CVE-2024-8275 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8493 – The Events Calendar <= 6.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8493
31 Jul 2024 — The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disab... • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6931 – The Events Calendar <= 6.6.3 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-6931
23 Jul 2024 — The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento The Events Calendar para WordPress es vulnerable a Cross-Site Scripting almacenado a través del campo de nombre RSVP en todas la... • https://plugins.trac.wordpress.org/changeset/3150170 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37518 – WordPress The Events Calendar plugin <= 6.5.1.4 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37518
05 Jul 2024 — Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through 6.5.1.4. The The Events Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.5.1.4. This is due to missing or incorrect nonce validation on the action_restore_events() function. This makes it possible for unauthenticated attackers to restore events via a forged request gra... • https://patchstack.com/database/wordpress/plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-5-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-1295 – The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
https://notcve.org/view.php?id=CVE-2024-1295
24 May 2024 — The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.) El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no... • https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4180 – The Events Calendar < 6.4.0.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-4180
14 May 2024 — The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX. El complemento Events Calendar de WordPres anterior a 6.4.0.1 no sanitiza adecuadamente el contenido enviado por el usuario al representar algunas vistas a través de AJAX. The The Events Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view_data' parameter in all versions up to, and including, 6.4.0 due to insufficient input sanitizat... • https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31433 – WordPress The Events Calendar plugin <= 6.3.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31433
10 Apr 2024 — Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar.This issue affects The Events Calendar: from n/a through 6.3.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en The Events Calendar. Este problema afecta a The Events Calendar: desde n/a hasta 6.3.0. The The Events Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.0. This is due to missing or incorrect nonce validation on the maybe_dismiss() function. • https://patchstack.com/database/vulnerability/the-events-calendar/wordpress-the-events-calendar-plugin-6-3-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6557 – The Events Calendar <= 6.2.8.2 - Unauthenticated Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-6557
12 Jan 2024 — The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts. El complemento The Events Calendar para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 6.2.8.2 i... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3010104%40the-events-calendar%2Ftags%2F6.2.9&old=3010096%40the-events-calendar%2Ftags%2F6.2.9 • CWE-862: Missing Authorization •