Plugin inspection:

The Events Calendar

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 3.0.1 of this plugin, but the most recent version is 5.2.1.1. These findings may no longer be correct.

Findings

Sanitisation and escaping are present but are not applied systematically. Much improved over the last version, but the lack of a systematic approach is a concern given the size of the plugin (over 11,000 lines of PHP). Queries containing variables all appear to be prepared.

There are several instances of unsanitised data being passed into filters and abstract functions. This should not affect users intending to use the plugin in isolation, but anyone intending to write code that interacts with it should be aware that arguments coming into their filters are unlikely to be trustworthy.

This plugin is intended to function with add-ons which can be purchased separately. No add-ons were included in this inspection. However, we are confident that this plugin does contain a Cross Site Scripting vulnerability which would be exploitable if an add-on were used.

Therefore, we recommend that this plugin should not be used if you are also using a ticketing add-on, and have given it a use with caution rating as a result.

Reason for the 'Use with caution' result

The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:

XSS in code which functions with ticketing add-on.

Failure criteria

  • Lack of input sanitisation
  • Lack of proper output escaping
  • Very large codebase

Read more about our failure criteria.