cleantalk
Vulnerabilities and Security Researches

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce, CVE-2025-2799

CVE, Research URL

CVE-2025-2799

Home page URL

Security reports for WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Application

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Published on
Jul 16, 2025
Research Description
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.1.50.
Status
vulnerable
Previous vulnerability researches
xili-language (9f231df1d54696e6fdb5cd782bafd379b9ddbdc9) , Jun 06, 2024
xili-language (CVE-2025-31085) , Apr 03, 2025
xili-language (CVE-2025-58654) , Apr 25, 2026
New vulnerability
Ultra Addons Lite for Elementor (CVE-2025-9077) , Apr 25, 2026
VikRestaurants Table Reservations and Take-Away (CVE-2025-57962) , Apr 25, 2026
VikRestaurants Table Reservations and Take-Away (CVE-2025-57968) , Apr 25, 2026
RestroPress – Online Food Ordering System (CVE-2025-9209) , Apr 25, 2026
Smart Docs (CVE-2025-9333) , Apr 25, 2026