WP-Safety

Event Monster – Manager & Ticket Booking Security & Risk Analysis

wordpress.org/plugins/event-monster

Event manager with calendar display, ticket booking, registration forms, and attendee tracking for all occasions.

800 active installs v2.0.1 PHP 7.4+ WP 5.8+ Updated Jan 29, 2026
event-bookingevent-calendarevent-managerevent-registrationticket-booking
94
A · Safe
CVEs total7
Unpatched0
Last CVEJan 13, 2025
Plugin page Download
Safety Verdict

Is Event Monster – Manager & Ticket Booking Safe to Use in 2026?

Generally Safe

Score 94/100

Event Monster – Manager & Ticket Booking has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Jan 13, 2025Updated 2mo ago
Risk Assessment

The plugin "event-monster" v2.0.1 exhibits a mixed security posture. While it demonstrates some good practices such as a significant number of nonce and capability checks, and a majority of SQL queries utilizing prepared statements, there are notable areas of concern. The presence of 12 AJAX handlers without authentication checks presents a substantial attack surface. Furthermore, the taint analysis reveals 9 flows with unsanitized paths, including 6 of high severity, indicating potential vulnerabilities in how user input is processed. The plugin's history of 7 known CVEs, with 4 high and 3 medium severity, points to recurring security weaknesses across various categories, including XSS, SQL Injection, CSRF, and data exposure. The most recent vulnerability, dated January 2025, suggests that security issues have been persistent.

Overall, the plugin's security is compromised by its unprotected AJAX endpoints and the identified unsanitized data flows, which pose immediate risks. The historical prevalence of high and medium severity vulnerabilities, even with no currently unpatched CVEs, indicates a need for rigorous auditing and improved secure coding practices. While the plugin shows effort in areas like prepared statements and escaping, these strengths are overshadowed by the identified vulnerabilities and the large unprotected attack surface, making it a moderate to high risk for users.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Unsanitized paths in taint flows
  • High severity CVE history
  • Medium severity CVE history
  • Less than ideal output escaping
Vulnerabilities
7

Event Monster – Manager & Ticket Booking Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
2 CVEs in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
3

7 total CVEs

CVE-2024-11396medium · 5.3Exposure of Private Personal Information to an Unauthorized Actor

Event monster <= 1.4.3 - Information Exposure Via Visitors List Export

Jan 13, 2025 Patched in 1.4.4 (1d)
CVE-2024-5059medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Event Management Tickets Booking <= 1.4.3 - Unauthenticated Information Exposure

Jun 19, 2024 Patched in 1.4.4 (189d)
CVE-2024-1895high · 7.5Deserialization of Untrusted Data

Event Monster <= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta

Apr 29, 2024 Patched in 1.4.0 (240d)
CVE-2023-47525medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event Management Tickets Booking <= 1.4.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Dec 19, 2023 Patched in 2.0.0 (778d)
CVE-2022-3720high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Event Monster <= 1.2.0 - Authenticated (Administrator+) SQL Injection

Oct 31, 2022 Patched in 1.2.1 (449d)
CVE-2022-3336high · 8.8Cross-Site Request Forgery (CSRF)

Event Monster – Event Management, Tickets Booking, Upcoming Event <= 1.1.20 - Cross-Site Request Forgery

Oct 27, 2022 Patched in 1.2.0 (453d)
WF-baa063b7-8b79-4de3-84b1-6dec024fa395-event-monsterhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event Management Tickets Booking By Event Monster Plugin < 1.0.6 - Cross-Site Scripting

May 23, 2019 Patched in 1.0.6 (1706d)
Code Analysis
Analyzed Mar 16, 2026

Event Monster – Manager & Ticket Booking Code Analysis

Dangerous Functions
0
Raw SQL Queries
24
58 prepared
Unescaped Output
599
1144 escaped
Nonce Checks
32
Capability Checks
26
File Operations
3
External Requests
4
Bundled Libraries
0

SQL Query Safety

71% prepared82 total queries

Output Escaping

66% escaped1743 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

23 flows9 with unsanitized paths
ajax_preview_layout (admin\event-layout-settings.php:197)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
12 unprotected

Event Monster – Manager & Ticket Booking Attack Surface

Entry Points30
Unprotected12

AJAX Handlers 26

authwp_ajax_em_preview_layoutadmin\event-layout-settings.php:13
authwp_ajax_em_save_settingsincludes\class-event-monster-admin.php:26
authwp_ajax_em_book_ticketsincludes\class-event-monster-ajax.php:89
noprivwp_ajax_em_book_ticketsincludes\class-event-monster-ajax.php:90
authwp_ajax_em_capture_paymentincludes\class-event-monster-ajax.php:91
noprivwp_ajax_em_capture_paymentincludes\class-event-monster-ajax.php:92
authwp_ajax_em_process_bookingincludes\class-event-monster-ajax.php:95
noprivwp_ajax_em_process_bookingincludes\class-event-monster-ajax.php:96
authwp_ajax_em_validate_couponincludes\class-event-monster-ajax.php:99
noprivwp_ajax_em_validate_couponincludes\class-event-monster-ajax.php:100
authwp_ajax_em_create_stripe_payment_intentincludes\class-event-monster-ajax.php:103
noprivwp_ajax_em_create_stripe_payment_intentincludes\class-event-monster-ajax.php:104
authwp_ajax_em_capture_stripe_paymentincludes\class-event-monster-ajax.php:105
noprivwp_ajax_em_capture_stripe_paymentincludes\class-event-monster-ajax.php:106
authwp_ajax_em_create_razorpay_orderincludes\class-event-monster-ajax.php:109
noprivwp_ajax_em_create_razorpay_orderincludes\class-event-monster-ajax.php:110
authwp_ajax_em_verify_razorpay_paymentincludes\class-event-monster-ajax.php:111
noprivwp_ajax_em_verify_razorpay_paymentincludes\class-event-monster-ajax.php:112
authwp_ajax_em_create_square_paymentincludes\class-event-monster-ajax.php:115
noprivwp_ajax_em_create_square_paymentincludes\class-event-monster-ajax.php:116
authwp_ajax_em_get_calendar_eventsincludes\class-event-monster-calendar.php:63
noprivwp_ajax_em_get_calendar_eventsincludes\class-event-monster-calendar.php:64
authwp_ajax_em_get_event_modalincludes\class-event-monster-calendar.php:65
noprivwp_ajax_em_get_event_modalincludes\class-event-monster-calendar.php:66
authwp_ajax_em_dismiss_update_noticeincludes\class-event-monster-update-notice.php:59
authwp_ajax_em_dismiss_welcome_noticeincludes\class-event-monster-updater.php:32

Shortcodes 4

[EM] includes\class-event-monster-shortcodes.php:17
[EM-LIST] includes\class-event-monster-shortcodes.php:18
[EM-CALENDAR] includes\class-event-monster-shortcodes.php:19
[EM] shortcode.php:3
WordPress Hooks 23
actionadmin_enqueue_scriptsadmin\event-layout-settings.php:14
actionadmin_footeradmin\event-layout-settings.php:15
actionadmin_menuincludes\class-event-monster-admin.php:21
actionadmin_footer-post.phpincludes\class-event-monster-admin.php:22
actionadmin_footer-post-new.phpincludes\class-event-monster-admin.php:23
actionadmin_initincludes\class-event-monster-admin.php:24
actionadmin_noticesincludes\class-event-monster-admin.php:243
actionwp_enqueue_scriptsincludes\class-event-monster-assets.php:25
actionadmin_enqueue_scriptsincludes\class-event-monster-assets.php:28
actioninitincludes\class-event-monster-calendar.php:34
actionwp_enqueue_scriptsincludes\class-event-monster-calendar.php:62
actioninitincludes\class-event-monster-cpt.php:16
actioninitincludes\class-event-monster-cpt.php:17
actionphpmailer_initincludes\class-event-monster-emails.php:42
filterwp_mail_fromincludes\class-event-monster-emails.php:123
filterwp_mail_from_nameincludes\class-event-monster-emails.php:133
actionadd_meta_boxesincludes\class-event-monster-metabox.php:17
actionsave_post_awl_event_monsterincludes\class-event-monster-metabox.php:18
actionadmin_noticesincludes\class-event-monster-update-notice.php:53
actionadmin_menuincludes\class-event-monster-update-notice.php:56
actionadmin_enqueue_scriptsincludes\class-event-monster-update-notice.php:62
actionadmin_initincludes\class-event-monster-updater.php:30
actionadmin_noticesincludes\class-event-monster-updater.php:31
Maintenance & Trust

Event Monster – Manager & Ticket Booking Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version7.4
Downloads75K

Community Trust

Rating96/100
Number of ratings19
Active installs800
Alternatives

Event Monster – Manager & Ticket Booking Alternatives

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

wp-event-solution

B
82

Create and manage events with a flexible WordPress events calendar plugin. Add recurring events, RSVP, ticket booking, and WooCommerce ticket selling &hellip;

10K 19 CVEs
EventPrime – Events Calendar, Bookings and Tickets

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

A
92

Modern Events Calendar plugin ❤️ for creating free or paid events. Supports Event Types, Bookings, Tickets, Venues, Performers, and a lot more.

7K 36 CVEs
Quick Event Manager

Quick Event Manager

quick-event-manager

A
98

Simple event manager. No messing about, just add events and a shortcode and the plugin does the rest for you.

2K 5 CVEs
My Calendar – Accessible Event Manager

My Calendar – Accessible Event Manager

my-calendar

B
77

Accessible WordPress event calendar plugin. Manage single or recurring events, event venues, and display your calendar anywhere on your site.

20K 16 CVEs
Event Booking Manager for WooCommerce

Event Booking Manager for WooCommerce

mage-eventpress

B
82

Flexible WooCommerce plugin for event booking, attendee management, and responsive ticketing with a modern event calendar.

7K 20 CVEs
Developer Profile

Event Monster – Manager & Ticket Booking Developer Profile

A WP Life

61 plugins · 64K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
267 days
View full developer profile
Detection Fingerprints

How We Detect Event Monster – Manager & Ticket Booking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/event-monster/assets/css/admin-layout-settings.css/wp-content/plugins/event-monster/assets/css/event-monster-frontend.css/wp-content/plugins/event-monster/assets/css/event-monster-admin.css/wp-content/plugins/event-monster/assets/js/event-monster-admin.js/wp-content/plugins/event-monster/assets/js/event-monster-frontend.js/wp-content/plugins/event-monster/assets/js/layout-builder.js/wp-content/plugins/event-monster/assets/js/components/countdown.js/wp-content/plugins/event-monster/assets/js/components/gallery.js+8 more
Script Paths
/wp-content/plugins/event-monster/assets/js/event-monster-admin.js/wp-content/plugins/event-monster/assets/js/event-monster-frontend.js/wp-content/plugins/event-monster/assets/js/layout-builder.js
Version Parameters
event-monster/assets/css/admin-layout-settings.css?ver=event-monster/assets/css/event-monster-frontend.css?ver=event-monster/assets/css/event-monster-admin.css?ver=event-monster/assets/js/event-monster-admin.js?ver=event-monster/assets/js/event-monster-frontend.js?ver=event-monster/assets/js/layout-builder.js?ver=

HTML / DOM Fingerprints

CSS Classes
em-layout-builderem-component-boxem-component-box-headerem-component-box-contentem-component-box-detailsem-component-box-mapem-component-box-galleryem-component-box-schedule+6 more
HTML Comments
<!-- Event Layout Configuration --><!-- Add layout meta box to event edit page --><!-- Render layout meta box content --><!-- Add nonce field -->+8 more
Data Attributes
data-component-iddata-component-typedata-event-iddata-layout-config
JS Globals
EM_Layout_BuilderEM_Component_ManagerEM_Layout_Config
Shortcode Output
[event_monster_events][event_monster_single_event]
FAQ

Frequently Asked Questions about Event Monster – Manager & Ticket Booking