Events Manager – Calendar, Bookings, Tickets, and more! WordPress Plugin Security Vulnerabilities | WPScan

31

December 16, 2025

70000

Published

2025-12-17

Title

Events Manager < 7.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode

Fixed in

Fixed in 7.2.3

CVSS

6.4 (medium)

Published

2025-12-11

Title

Events Manager – Calendar, Bookings, Tickets, and more! < 7.2.2.3 - Cross-Site Request Forgery to Location Deletion

Fixed in

Fixed in 7.2.2.3

CVSS

4.3 (medium)

Published

2025-12-11

Title

Events Manager < 7.2.2.3 - Unauthenticated Information Exposure

Fixed in

Fixed in 7.2.2.3

CVSS

5.3 (medium)

Published

2025-07-09

Title

Events Manager < 7.0.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes

Fixed in

Fixed in 7.0.4

CVSS

6.4 (medium)

Published

2025-07-09

Title

Events Manager < 7.0.4 - Unauthenticated SQL Injection via `orderby` Parameter

Fixed in

Fixed in 7.0.4

CVSS

7.5 (high)

Published

2025-07-09

Title

Event Manager < 7.0.4 - Reflected Cross-Site Scripting via `calendar_header` Parameter

Fixed in

Fixed in 7.0.4

CVSS

6.1 (medium)

Published

2025-02-26

Title

Events Manager – Calendar, Bookings, Tickets, and more! < 6.6.4.2 - Missing Authorization

Fixed in

Fixed in 6.6.4.2

CVSS

5.3 (medium)

Published

2025-02-20

Title

Events Manager – Calendar, Bookings, Tickets, and more! < 6.6.4 - Unauthenticated SQL Injection via Event Status Parameter

Fixed in

Fixed in 6.6.4

CVSS

7.5 (high)

Published

2024-06-28

Title

Events Manager < 6.4.9 - Reflected Cross-Site Scripting

Fixed in

Fixed in 6.4.9

CVSS

6.1 (medium)

Published

2024-06-11

Title

Events Manager – Calendar, Bookings, Tickets, and more! < 6.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes

Fixed in

Fixed in 6.4.8

CVSS

6.4 (medium)

Published

2024-03-28

Title

Events Manager < 6.4.7 - Missing Authorization

Fixed in

Fixed in 6.4.7

CVSS

4.3 (medium)

Published

2024-03-28

Title

Events Manager < 6.4.7.2 - Cross-Site Request Forgery

Fixed in

Fixed in 6.4.7.2

CVSS

4.3 (medium)

Published

2024-03-27

Title

Events Manager < 6.4.7.2 - Cross-Site Request Forgery

Fixed in

Fixed in 6.4.7.2

CVSS

4.3 (medium)

Published

2024-03-27

Title

Events Manager < 6.4.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 6.4.7.2

CVSS

6.4 (medium)

Published

2024-02-28

Title

Events Manager < 6.4.7 - Authenticated(Administator+) Stored Cross-Site Scripting via settings

Fixed in

Fixed in 6.4.7

CVSS

4.4 (medium)

Published

2023-11-23

Title

Events Manager < 6.4.6 - Reflected Cross-Site Scripting

Fixed in

Fixed in 6.4.6

CVSS

6.1 (medium)

Published

2020-06-07

Title

Events Manager < 5.9.8 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.9.8

CVSS

3.8 (low)

Published

2020-06-07

Title

Events Manager < 5.9.8 - Admin+ SQL Injection

Fixed in

Fixed in 5.9.8

CVSS

6.8 (medium)

Published

2020-02-05

Title

Events Manager < 5.9.7.2 - CSV Injection

Fixed in

Fixed in 5.9.7.2

CVSS

n/a

Published

2019-10-16

Title

Events Manager < 5.9.6 - Authenticated Stored Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.9.6

CVSS

5.4 (medium)

Published

2018-04-27

Title

Events Manager < 5.9 - Authenticated Stored Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.9

CVSS

5.4 (medium)

Published

2018-03-26

Title

Events Manager <= 5.8.1.1 - Unauthenticated Stored XSS

Fixed in

Fixed in 5.8.1.2

CVSS

5.4 (medium)

Published

2015-08-10

Title

Events Manager < 5.6 - Cross-Site Scripting (XSS) & Code Injection

Fixed in

Fixed in 5.6

CVSS

9.8 (critical)

Published

2015-06-04

Title

Events Manager < 5.5.7.1 - DOM Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.5.7.1

CVSS

6.1 (medium)

Published

2015-05-23

Title

Events Manager < 5.5.7 - Multiple Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.5.7

CVSS

6.1 (medium)

Published

2014-08-01

Title

Events Manager 5.3.3 - Multiple Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.3.4

CVSS

n/a

Published

2014-08-01

Title

Events Manager 5.5.1 - Multiple Unspecified XSS Vulnerabilities

Fixed in

Fixed in 5.5.2

CVSS

6.1 (medium)

Published

2014-08-01

Title

Events Manager 5.3.8 - Multiple Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.3.9

CVSS

6.1 (medium)

Published

2013-08-14

Title

Events Manager < 5.5 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.5

CVSS

6.1 (medium)

Published

2013-02-27

Title

Events Manager < 5.3.6.1 - Multiple Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.3.6.1

CVSS

6.1 (medium)

Published

2012-05-22

Title

Events Manager < 5.1.7 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 5.1.7

CVSS

6.1 (medium)