Threat Entry Updated 2026-03-04

CVE-2026-2355 - My Calendar Plugin

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `

PLUGIN My Calendar

CVE-2026-2355

MEDIUM CVSS 6.4 2026-03-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2024-1274 - My Calendar Plugin

The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)

PLUGIN My Calendar

CVE-2024-1274

MEDIUM CVSS 5.4 2024-04-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6360 - My Calendar Plugin

The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.

PLUGIN My Calendar

CVE-2023-6360

HIGH CVSS 8.6 2023-11-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24927 - My Calendar Plugin

The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

PLUGIN My Calendar

CVE-2021-24927

MEDIUM CVSS 5.4 2021-11-29

Risk Score

Open Full Technical Breakdown