cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forevents-manager events-manager

Direction: ascending
Jun 07, 2024

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2019-16523

CVE, Research URL

CVE-2019-16523

Date
Oct 16, 2019
Research Description
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.
Affected versions
max 5.9.6.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2013-7479

CVE, Research URL

CVE-2013-7479

Date
Aug 22, 2019
Research Description
The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field.
Affected versions
max 5.3.9.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2013-7480

CVE, Research URL

CVE-2013-7480

Date
Aug 22, 2019
Research Description
The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.
Affected versions
max 5.3.6.1.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2012-6716

CVE, Research URL

CVE-2012-6716

Date
Aug 22, 2019
Research Description
The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links.
Affected versions
max 5.1.7.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2015-9298

CVE, Research URL

CVE-2015-9298

Date
Aug 13, 2019
Research Description
The events-manager plugin before 5.6 for WordPress has code injection.
Affected versions
max 5.6.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2015-9299

CVE, Research URL

CVE-2015-9299

Date
Aug 13, 2019
Research Description
The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.
Affected versions
max 5.5.7.1.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2020-35012

CVE, Research URL

CVE-2020-35012

Date
Dec 02, 2021
Research Description
The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to an SQL Injection
Affected versions
max 5.9.8.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2020-35037

CVE, Research URL

CVE-2020-35037

Date
Dec 02, 2021
Research Description
The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape some search parameter before outputing them in pages, which could lead to Cross-Site Scripting issues
Affected versions
max 5.9.8.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2013-7477

CVE, Research URL

CVE-2013-7477

Date
Aug 22, 2019
Research Description
The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.
Affected versions
max 5.5.2.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2013-7478

CVE, Research URL

CVE-2013-7478

Date
Aug 22, 2019
Research Description
The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post.
Affected versions
max 5.5.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2018-13137

CVE, Research URL

CVE-2018-13137

Date
Apr 12, 2019
Research Description
The Events Manager plugin 5.9.4 for WordPress has XSS via the dbem_event_reapproved_email_body parameter to the wp-admin/edit.php?post_type=event&page=events-manager-options URI.
Affected versions
max 5.9.5.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2018-0576

CVE, Research URL

CVE-2018-0576

Date
May 14, 2018
Research Description
Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected versions
max 5.9.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2018-9020

CVE, Research URL

CVE-2018-9020

Date
Mar 26, 2018
Research Description
The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature.
Affected versions
max 5.8.1.2.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2013-1407

CVE, Research URL

CVE-2013-1407

Date
May 13, 2014
Research Description
Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.
Affected versions
max 5.3.5.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2015-9297

CVE, Research URL

CVE-2015-9297

Date
Aug 13, 2019
Research Description
The events-manager plugin before 5.6 for WordPress has XSS.
Affected versions
max 5.6.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2015-9300

CVE, Research URL

CVE-2015-9300

Date
Aug 13, 2019
Research Description
The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.
Affected versions
max 5.5.7.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2023-48326

CVE, Research URL

CVE-2023-48326

Date
Nov 30, 2023
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite Events Manager allows Reflected XSS.This issue affects Events Manager: from n/a through 6.4.5.
Affected versions
max 6.4.6.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-30515

CVE, Research URL

CVE-2024-30515

Date
Jun 09, 2024
Research Description
Missing Authorization vulnerability in Pixelite Events Manager.This issue affects Events Manager: from n/a through 6.4.6.4.
Affected versions
max 6.4.7.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-0614

CVE, Research URL

CVE-2024-0614

Date
Mar 13, 2024
Research Description
The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 6.4.7.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-2110

CVE, Research URL

CVE-2024-2110

Date
Mar 28, 2024
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.7.1. This is due to missing or incorrect nonce validation on several actions. This makes it possible for unauthenticated attackers to modify booking statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 6.4.7.2.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-2111

CVE, Research URL

CVE-2024-2111

Date
Mar 28, 2024
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the physical location value in all versions up to, and including, 6.4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 6.4.7.2.
Status
vulnerable

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-30421

CVE, Research URL

CVE-2024-30421

Date
Mar 28, 2024
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Pixelite Events Manager.This issue affects Events Manager: from n/a through 6.4.7.1.
Affected versions
max 6.4.7.2.
Status
vulnerable
Jun 13, 2024

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-3492

CVE, Research URL

CVE-2024-3492

Date
Jun 12, 2024
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'event_category' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 6.4.8.
Status
vulnerable
Jun 30, 2024

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-5889

CVE, Research URL

CVE-2024-5889

Date
Jun 29, 2024
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 6.4.9.
Status
vulnerable
Sep 05, 2024

Events Manager – Calendar, Bookings, Tickets, and more! # PSC-2024-64524

PSC, Research URL

PSC-2024-64524

Date
Aug 05, 2025
Research Description
The plugin is meticulously engineered to deliver reliability, scalability, and secure handling of user data. Recently, Events Manager has successfully undergone a rigorous security audit, earning the prestigious Plugin Security Certification (PSC) from CleanTalk, further solidifying its reputation as a secure solution for managing events on WordPress.
Affected versions
Min 7.4.0.1, max 7.4.0.1.
Status
SAFE & CERTIFIED
Feb 21, 2025

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2024-11260

CVE, Research URL

CVE-2024-11260

Date
Feb 21, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the active_status parameter in all versions up to, and including, 6.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 6.6.4.
Status
vulnerable
Mar 05, 2025

Events Manager – Calendar, Bookings, Tickets, and more! # CVE-2025-1249

CVE, Research URL

CVE-2025-1249

Date
Feb 26, 2025
Research Description
Missing Authorization vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through <= 6.6.4.1.
Affected versions
max 6.6.4.2.
Status
vulnerable
Jul 12, 2025

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-6975

CVE, Research URL

CVE-2025-6975

Date
Jul 10, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 6.6.5.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-6970

CVE, Research URL

CVE-2025-6970

Date
Jul 10, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 6.6.5.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-6976

CVE, Research URL

CVE-2025-6976

Date
Jul 10, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 6.6.5.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-6970-2

CVE, Research URL

CVE-2025-6970-2

Date
Jul 10, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
Min 7.0.1, max 7.0.3.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-6975-2

CVE, Research URL

CVE-2025-6975-2

Date
Jul 10, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
Min 7.0.1, max 7.0.3.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-6976-2

CVE, Research URL

CVE-2025-6976-2

Date
Jul 10, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min 7.0.1, max 7.0.3.
Status
vulnerable
Jan 10, 2026

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-12407

CVE, Research URL

CVE-2025-12407

Date
Dec 12, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 7.2.2.3.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-12408

CVE, Research URL

CVE-2025-12408

Date
Dec 12, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.
Affected versions
max 7.2.2.3.
Status
vulnerable
Jun 14, 2026

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2025-12976

CVE, Research URL

CVE-2025-12976

Date
Dec 18, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 7.2.3.
Status
vulnerable
Jun 16, 2026

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # 25036fc51d7481041a2224146e8ed9d270ce27b1

Date
Nov 30, 2020
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.8 WordPress Events Manager plugin <= 5.9.7.3 - SQL Injection (SQLi) vulnerability SQL Injection (SQLi) vulnerability found by Antony Garand in WordPress Events Manager plugin (versions <= 5.9.7.3).
Affected versions
max 5.9.8.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # 57a97ae7cb99d6eb276259d1ad7ed76e7daba709

Date
May 15, 2015
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.5.2 WordPress Events Manager Plugin <= 5.5.1 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions
max 5.5.2.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # ad011e106b92cec79f84c6b75a40aaeb9fe62160

Date
Feb 05, 2020
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.7.2 Events Manager <= 5.9.7.1 - CSV Injection The Events Manager plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 5.9.7.1 through the use of the Microsoft Excel DDE function. This allows low-privileged attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Affected versions
max 5.9.7.2.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # d7fec95db364a16dd19f078b0571452f234c3a1e

Date
Nov 30, 2020
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.8 WordPress Events Manager plugin <= 5.9.7.3 - Cross-Site Scripting (XSS) vulnerability Cross-Site Scripting (XSS) vulnerability found by Jakob Wierzba in WordPress Events Manager plugin (versions <= 5.9.7.3).
Affected versions
max 5.9.8.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # f4b5c879988cab9d450076a17bc8cfe77e92bff8

Date
Feb 06, 2020
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.7.2 Events Manager < 5.9.7.2 & Events Manager Pro < 2.6.7.2 - Unauthenticated CSV Injection The Events Manager Pro, versions up to 2.6.7.2, and Events Manager, versions up to 5.9.7.2, plugins for WordPress are vulnerable to CSV Injection. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Affected versions
max 5.9.7.2.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # 18f8fb1edd163f79f4338252dd75ecae815ab804

Date
May 15, 2015
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.3.6 WordPress Events Manager Plugin <= 5.3.5 - Multiple Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions
max 5.3.6.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # 1440ea0714c0c83e516691cdf4a20163dc8d76dd

Date
May 15, 2015
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.3.9 WordPress Events Manager Plugin <= 5.3.8 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions
max 5.3.9.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # 367a2b2e3a2403b8bedfed14e024b76dcaf0ab08

Date
Nov 25, 2020
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.8.2 WordPress Events Manager plugin <= 5.9.8.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by Nguyen Van Khanh in WordPress Events Manager plugin (versions <= 5.9.8.1).
Affected versions
max 5.9.8.2.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # 1e90092982313329b8b74cc00ab0542b98ddb7c9

Date
Feb 07, 2020
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.7.2 WordPress Events Manager plugin <= 5.9.7.1 - CSV Injection vulnerability CSV Injection vulnerability found by Vishnupriya Ilango in WordPress Events Manager plugin (versions <= 5.9.7.1).
Affected versions
max 5.9.7.2.
Status
vulnerable

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # f201225d-2342-4cc5-aa45-b22177f7f3c3

Date
-
Research Description
Events Manager &#8211; Calendar, Bookings, Tickets, and more! [events-manager] < 5.9.7.2 Events Manager &lt; 5.9.7.2 - CSV Injection The Events Manager WordPress plugin was affected by a CSV Injection security vulnerability.
Affected versions
max 5.9.7.2.
Status
vulnerable
Jul 15, 2026

Events Manager &#8211; Calendar, Bookings, Tickets, and more! # CVE-2026-57713

CVE, Research URL

CVE-2026-57713

Date
Jul 13, 2026
Research Description
Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.
Affected versions
max 7.3.7.
Status
vulnerable