Events Manager
by WordPress
Source repositories
CVEs (26)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-6553 | Cri | 0.64 | 9.8 | 0.01 | Oct 11, 2025 | The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary… | ||
| CVE-2015-9298 | Cri | 0.64 | 9.8 | 0.02 | Aug 13, 2019 | The events-manager plugin before 5.6 for WordPress has code injection. | ||
| CVE-2020-35012 | Hig | 0.47 | 7.2 | 0.01 | Dec 1, 2021 | The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to an SQL Injection | ||
| CVE-2023-48326 | Hig | 0.46 | 7.1 | 0.00 | Nov 30, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite Events Manager allows Reflected XSS.This issue affects Events Manager: from n/a through 6.4.5. | ||
| CVE-2025-7663 | Med | 0.42 | 6.5 | 0.00 | Nov 8, 2025 | The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-2111 | Med | 0.42 | 6.4 | 0.00 | Mar 28, 2024 | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the physical location value in all versions up to, and including, 6.4.7.1 due to insufficient input sanitization and output escaping. This makes it… | ||
| CVE-2020-35037 | Med | 0.40 | 6.1 | 0.01 | Dec 1, 2021 | The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape some search parameter before outputing them in pages, which could lead to Cross-Site Scripting issues | ||
| CVE-2013-7480 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas. | ||
| CVE-2013-7479 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field. | ||
| CVE-2013-7478 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post. | ||
| CVE-2013-7477 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form. | ||
| CVE-2012-6716 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links. | ||
| CVE-2015-9300 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues. | ||
| CVE-2015-9299 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS. | ||
| CVE-2015-9297 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The events-manager plugin before 5.6 for WordPress has XSS. | ||
| CVE-2019-16523 | Med | 0.35 | 5.4 | 0.01 | Oct 16, 2019 | The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin. | ||
| CVE-2018-0576 | Med | 0.35 | 5.4 | 0.02 | May 14, 2018 | Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2018-9020 | Med | 0.35 | 5.4 | 0.01 | Mar 26, 2018 | The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature. | ||
| CVE-2025-1249 | Med | 0.34 | 5.3 | 0.00 | Feb 26, 2025 | Missing Authorization vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through <= 6.6.4.1. | ||
| CVE-2018-13137 | Med | 0.31 | 4.8 | 0.01 | Apr 12, 2019 | The Events Manager plugin 5.9.4 for WordPress has XSS via the dbem_event_reapproved_email_body parameter to the wp-admin/edit.php?post_type=event&page=events-manager-options URI. |
- risk 0.64cvss 9.8epss 0.01
The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary…
- risk 0.64cvss 9.8epss 0.02
The events-manager plugin before 5.6 for WordPress has code injection.
- risk 0.47cvss 7.2epss 0.01
The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to an SQL Injection
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite Events Manager allows Reflected XSS.This issue affects Events Manager: from n/a through 6.4.5.
- risk 0.42cvss 6.5epss 0.00
The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to…
- risk 0.42cvss 6.4epss 0.00
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the physical location value in all versions up to, and including, 6.4.7.1 due to insufficient input sanitization and output escaping. This makes it…
- risk 0.40cvss 6.1epss 0.01
The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape some search parameter before outputing them in pages, which could lead to Cross-Site Scripting issues
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.
- risk 0.40cvss 6.1epss 0.01
The events-manager plugin before 5.6 for WordPress has XSS.
- risk 0.35cvss 5.4epss 0.01
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.
- risk 0.35cvss 5.4epss 0.02
Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.35cvss 5.4epss 0.01
The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature.
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through <= 6.6.4.1.
- risk 0.31cvss 4.8epss 0.01
The Events Manager plugin 5.9.4 for WordPress has XSS via the dbem_event_reapproved_email_body parameter to the wp-admin/edit.php?post_type=event&page=events-manager-options URI.
Page 1 of 2