WordPress Plugin Vulnerabilities

FullCalendar <= 1.6 - Unauthenticated Information Exposure

Description

The WP FullCalendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
wp-fullcalendar
No known fix

References

CVE
CVE-2026-24523
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/45c2ad78-6cae-4d32-b595-54a466ff2469

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
ebe79315-8208-480b-82d0-6baa06cfdb7f

Timeline

Publicly Published
2026-01-26 (about 3 months ago)
Added
2026-02-02 (about 3 months ago)
Last Updated
2026-02-02 (about 3 months ago)

Other

Published
Title
Published
2025-01-13
Title
WebToffee WP Backup and Migration < 1.5.4 - Unauthenticated Sensitive Information Exposure
Published
2024-11-20
Title
Sky Addons for Elementor < 2.6.2 - Authenticated (Contributor+) Sensitive Information Exposure via Content Switcher Widget Elementor Template
Published
2026-04-07
Title
Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint
Published
2025-04-22
Title
WordPress Simple PayPal Shopping Cart < 5.1.3 - Unauthenticated Information Exposure via file_url Parameter
Published
2025-05-16
Title
Wishlist <= 2.1.0 - Authenticated (Subscriber+) Information Exposure