cleantalk
Vulnerabilities and Security Researches

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce, CVE-2025-2799

CVE, Research URL

CVE-2025-2799

Home page URL

Security reports for WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Application

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Published on
Jul 16, 2025
Research Description
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.1.50.
Status
vulnerable
Previous vulnerability researches
Jeg Elementor Kit (CVE-2024-10308) , Nov 26, 2024
Jeg Elementor Kit (CVE-2024-8899) , Nov 26, 2024
Jeg Elementor Kit (CVE-2025-2944) , May 10, 2025
Jeg Elementor Kit (CVE-2024-1326) , Jun 07, 2024
Jeg Elementor Kit (CVE-2022-3805) , Jun 07, 2024
New vulnerability
WooMS (CVE-2025-57956) , Apr 25, 2026
Ultra Addons Lite for Elementor (CVE-2025-9077) , Apr 25, 2026
VikRestaurants Table Reservations and Take-Away (CVE-2025-57962) , Apr 25, 2026
VikRestaurants Table Reservations and Take-Away (CVE-2025-57968) , Apr 25, 2026
RestroPress – Online Food Ordering System (CVE-2025-9209) , Apr 25, 2026