SQL Injection (SQLi) vulnerability found by Ozkan Mustafa Akkus in premium WordPress WP Events Calendar plugin (versions <= 1.0). An attacker can perform attacks via calendar ajax queries. However, this plugin is fully PHP-enabled. You can run SQL query with "month" and "year" parameters.
5 June 2018 - we were unable to find an updated version or its changelog.