Stellarwp The Events Calendar — known CVE vulnerabilities
Every CVE whose affected-product data names Stellarwp The Events Calendar, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2024-8275 — CVSS 9.8 (critical): The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event'…
CVE-2024-4180 — CVSS 9.1 (critical): The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.
CVE-2023-6203 — CVSS 7.5 (high): The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a…
CVE-2024-6931 — CVSS 7.2 (high): The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and…
CVE-2025-5144 — CVSS 6.4 (medium): The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all…
CVE-2019-15109 — CVSS 6.1 (medium): The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter.
CVE-2024-5333 — CVSS 5.3 (medium): The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access…
CVE-2023-6557 — CVSS 5.3 (medium): The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2…
CVE-2024-8493 — CVSS 4.8 (medium): The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users…