The events calendar

This hub aggregates every CVE we track for The events calendar, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Web & CMS Pluginson-premcms plugin

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM19HIGH5CRITICAL3

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting The events calendar.

CVE-2026-49772WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability9.3Jun 16, 2026
CVE-2026-3585The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import7.5Mar 10, 2026
CVE-2026-2694The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API5.4Feb 25, 2026
CVE-2025-15043The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control5.4Jan 20, 2026
CVE-2025-69352WordPress The Events Calendar plugin <= 6.15.12.2 - Broken Access Control vulnerability5.4Jan 6, 2026
CVE-2025-12192The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure5.3Nov 5, 2025
CVE-2025-12197The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s7.5Nov 5, 2025
CVE-2025-12175The Events Calendar <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure4.3Oct 31, 2025
CVE-2025-9808The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure5.3Sep 16, 2025
CVE-2025-9807The Events Calendar <= 6.15.1 - Unauthenticated SQL Injection7.5Sep 12, 2025
CVE-2025-5144The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting6.4Jun 11, 2025
CVE-2025-48246WordPress The Events Calendar plugin <= 6.11.2.1 - Broken Access Control Vulnerability5.4May 19, 2025
CVE-2024-8493The Events Calendar < 6.6.4 - Admin+ Stored XSS4.8May 15, 2025
CVE-2025-24537WordPress The Events Calendar plugin <= 6.7.0 - Cross Site Request Forgery (CSRF) vulnerability5.4Jan 27, 2025
CVE-2024-12118The Events Calendar <= 6.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting6.4Jan 23, 2025

Product normalization is registry-driven with AI assist and human review. How it works