WP-Safety

Event post Security & Risk Analysis

wordpress.org/plugins/event-post

The only WordPress plugin using native posts as full calendar events with begin and end date, geolocation, color and weather.

1K active installs v5.11.0 PHP + WP 6.3+ Updated Jan 6, 2026
bookingcalendareventsgeolocationmap
62
C · Use Caution
CVEs total11
Unpatched1
Last CVEOct 16, 2025
Plugin page Download
Safety Verdict

Is Event post Safe to Use in 2026?

Use With Caution

Score 62/100

Event post has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

11 known CVEs 1 unpatched Last CVE: Oct 16, 2025Updated 2mo ago
Risk Assessment

The security posture of event-post v5.11.0 presents significant concerns, primarily due to a large number of unprotected AJAX handlers and a concerning vulnerability history. While the plugin demonstrates good practices with SQL queries being prepared and a high percentage of output escaping, the sheer volume of entry points without authentication checks creates a wide attack surface. Taint analysis showing no unsanitized paths is a positive sign, suggesting that direct code execution or path traversal vulnerabilities are not immediately apparent within the analyzed flows. However, this doesn't negate the risks introduced by the unprotected AJAX handlers, which could be exploited for various malicious actions if input validation is weak within those handlers.

The vulnerability history is particularly alarming, with 11 known CVEs, including one critical and ten medium severity issues. The types of past vulnerabilities (XSS, RFI, CSRF, Improper Access Control) are common and can lead to severe compromises. The presence of a currently unpatched critical vulnerability is a major red flag, indicating a persistent and potentially exploitable security flaw. The recency of the last vulnerability (2025-10-16) suggests active development but also highlights that security issues continue to be discovered or reintroduced.

In conclusion, while the plugin utilizes some secure coding practices like prepared statements, the extensive unprotected attack surface and the pattern of recurring and severe vulnerabilities significantly outweigh these strengths. The existence of an unpatched critical vulnerability necessitates immediate attention. Users of this plugin are at high risk, and the plugin should be reviewed for potential remediation or replacement.

Key Concerns

  • Unprotected AJAX handlers
  • Currently unpatched critical CVE
  • History of 10 medium CVEs
  • History of Cross-Site Scripting (XSS)
  • History of PHP Remote File Inclusion (RFI)
  • History of Cross-Site Request Forgery (CSRF)
  • History of Improper Access Control
  • Limited capability checks
  • Presence of file operations
  • Presence of external HTTP requests
Vulnerabilities
11

Event post Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
4 CVEs in 2024 · unpatched
2024
6 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
10

11 total CVEs

CVE-2025-62042medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 16, 2025 Patched in 5.10.4 (7d)
CVE-2025-49298medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.10.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 5, 2025 Patched in 5.10.2 (7d)
CVE-2025-46228medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 22, 2025 Patched in 5.10.0 (9d)
CVE-2025-2167medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2025 Patched in 5.9.10 (1d)
CVE-2025-26923medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 11, 2025 Patched in 5.9.9 (7d)
CVE-2025-24585medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 5.9.8 (5d)
CVE-2024-10186medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event Post <= 5.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via events_cal Shortcode

Nov 5, 2024 Patched in 5.9.7 (1d)
CVE-2024-38735critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Event post <= 5.9.5 - Unauthenticated Local File Inclusion

Jul 11, 2024 Patched in 5.9.6 (28d)
CVE-2024-1375medium · 4.3Cross-Site Request Forgery (CSRF)

Event post <= 5.9.10 - Cross-Site Request Forgery

Jul 11, 2024Unpatched
CVE-2024-1376medium · 4.3Improper Access Control

Event post <= 5.9.4 - Missing Authorization

May 23, 2024 Patched in 5.9.5 (1d)
CVE-2023-49179medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event post <= 5.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Nov 29, 2023 Patched in 5.9.1 (115d)
Code Analysis
Analyzed Mar 16, 2026

Event post Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
158
634 escaped
Nonce Checks
3
Capability Checks
1
File Operations
3
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

80% escaped792 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
HumanDate (eventpost.php:2893)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
18 unprotected

Event post Attack Surface

Entry Points18
Unprotected18

AJAX Handlers 18

authwp_ajax_EventPostGetLatLongeventpost.php:386
authwp_ajax_EventPostHumanDateeventpost.php:387
authwp_ajax_EventPostListeventpost.php:388
authwp_ajax_EventPostTimelineeventpost.php:389
authwp_ajax_EventPostNextPageeventpost.php:390
noprivwp_ajax_EventPostNextPageeventpost.php:391
authwp_ajax_EventPostMapeventpost.php:392
authwp_ajax_EventPostCalendareventpost.php:393
noprivwp_ajax_EventPostCalendareventpost.php:394
authwp_ajax_EventPostCalendarDateeventpost.php:395
noprivwp_ajax_EventPostCalendarDateeventpost.php:396
authwp_ajax_EventPostExporteventpost.php:400
noprivwp_ajax_EventPostExporteventpost.php:401
authwp_ajax_EventPostFeedeventpost.php:402
noprivwp_ajax_EventPostFeedeventpost.php:403
authwp_ajax_inline-saveeventpost.php:412
authwp_ajax_EventPostAddChildinc\class-children.php:67
authwp_ajax_EventPostDeleteChildinc\class-children.php:68
WordPress Hooks 64
actioniniteventpost.php:363
actioniniteventpost.php:364
actioniniteventpost.php:365
actionsave_posteventpost.php:367
filterdashboard_glance_itemseventpost.php:368
actionadmin_initeventpost.php:371
actionadmin_enqueue_scriptseventpost.php:372
actionadmin_print_scriptseventpost.php:373
actionadmin_print_scriptseventpost.php:374
actionwp_enqueue_scriptseventpost.php:375
actionwp_enqueue_scriptseventpost.php:376
filterthe_contenteventpost.php:379
filterthe_titleeventpost.php:380
actionthe_eventeventpost.php:381
actionwp_headeventpost.php:382
actionwpseo_schema_webpageeventpost.php:383
actionparse_requesteventpost.php:399
filtereventpost_list_shemaeventpost.php:406
actionbulk_edit_custom_boxeventpost.php:409
actionquick_edit_custom_boxeventpost.php:410
actionadmin_print_scripts-edit.phpeventpost.php:411
actionbulk_edit_postseventpost.php:413
filtereventpost_inline_fieldeventpost.php:414
filtereventpost_inline_fieldeventpost.php:415
actionadd_meta_boxeseventpost.php:474
actionwp_loadedinc\blocks\eventdetails.php:22
actionwp_loadedinc\blocks\eventscalendar.php:30
actionwp_loadedinc\blocks\eventslist.php:22
actionwp_loadedinc\blocks\eventsmap.php:33
actionwp_loadedinc\blocks\eventstimeline.php:26
actioneventpost_getsettings_actioninc\class-children.php:27
actioneventpost_settings_forminc\class-children.php:28
actionevenpost_initinc\class-children.php:29
actionwp_loadedinc\class-children.php:30
filtereventpost_retreiveinc\class-children.php:54
filtereventpost_get_post_typesinc\class-children.php:55
filtereventpost_contentbarinc\class-children.php:56
actioneventpost_add_custom_boxinc\class-children.php:58
filtereventpost_add_custom_box_positioninc\class-children.php:59
actionadmin_noticesinc\class-children.php:60
actionsave_postinc\class-children.php:61
actionedit_form_topinc\class-children.php:62
actionadmin_post_EventPostAddChildinc\class-children.php:64
actionadmin_post_EventPostDeleteChildinc\class-children.php:65
filtereventpost_columns_headinc\class-children.php:70
actioneventpost_columns_contentinc\class-children.php:71
filtereventpost_contentbarinc\class-children.php:523
actioninitinc\class-icons.php:23
filtereventpost_paramsinc\class-multisite.php:23
filtereventpost_getinc\class-multisite.php:24
actionadmin_menuinc\class-settings.php:16
actionadmin_initinc\class-settings.php:17
filterplugin_action_links_event-post/eventpost.phpinc\class-settings.php:18
filterplugin_row_metainc\class-settings.php:19
actioneventpost_getsettings_actioninc\openweathermap.php:37
actioneventpost_settings_forminc\openweathermap.php:38
actionevenpost_initinc\openweathermap.php:39
filtereventpost_paramsinc\openweathermap.php:180
filtereventpost_retreiveinc\openweathermap.php:181
filtereventpost_item_scheme_entitiesinc\openweathermap.php:184
filtereventpost_item_scheme_valuesinc\openweathermap.php:185
filtereventpost_default_list_shemainc\openweathermap.php:186
filtereventpost_get_singleinc\openweathermap.php:187
actioneventpost_custom_box_dateinc\openweathermap.php:190
Maintenance & Trust

Event post Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJan 6, 2026
PHP min version
Downloads82K

Community Trust

Rating86/100
Number of ratings35
Active installs1K
Alternatives

Event post Alternatives

LatePoint – Calendar Booking Plugin for Appointments and Events

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

F
20

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K 2 unpatched
Events Manager – Calendar, Bookings, Tickets, and more!

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

B
82

Events calendar with bookings, scheduling, appointments, event registration, tickets, recurring events, and venue management.

70K 34 CVEs
Booking Calendar

Booking Calendar

booking

B
82

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

50K 28 CVEs
Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

wp-event-solution

B
82

Create and manage events with a flexible WordPress events calendar plugin. Add recurring events, RSVP, ticket booking, and WooCommerce ticket selling &hellip;

10K 19 CVEs
Registrations for the Events Calendar – Event Registration Plugin

Registrations for the Events Calendar – Event Registration Plugin

registrations-for-the-events-calendar

A
89

Collect and manage event registrations with a customizable form and email template. The best event registration plugin for The Events Calendar.

8K 7 CVEs
Developer Profile

Event post Developer Profile

Bastien Ho

12 plugins · 2K total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
15 days
View full developer profile
Detection Fingerprints

How We Detect Event post

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/event-post/css/event-post.css/wp-content/plugins/event-post/css/event-post-admin.css/wp-content/plugins/event-post/css/event-post-single.css/wp-content/plugins/event-post/css/event-post-widgets.css/wp-content/plugins/event-post/css/event-post-calendar.css/wp-content/plugins/event-post/css/event-post-timeline.css/wp-content/plugins/event-post/css/event-post-editor.css/wp-content/plugins/event-post/js/event-post.js+7 more
Script Paths
/wp-content/plugins/event-post/js/event-post.js/wp-content/plugins/event-post/js/event-post-admin.js/wp-content/plugins/event-post/js/event-post-calendar.js/wp-content/plugins/event-post/js/event-post-timeline.js/wp-content/plugins/event-post/js/event-post-map.js/wp-content/plugins/event-post/js/event-post-single.js+2 more
Version Parameters
event-post/css/event-post.css?ver=event-post/css/event-post-admin.css?ver=event-post/css/event-post-single.css?ver=event-post/css/event-post-widgets.css?ver=event-post/css/event-post-calendar.css?ver=event-post/css/event-post-timeline.css?ver=event-post/css/event-post-editor.css?ver=event-post/js/event-post.js?ver=event-post/js/event-post-admin.js?ver=event-post/js/event-post-calendar.js?ver=event-post/js/event-post-timeline.js?ver=event-post/js/event-post-map.js?ver=event-post/js/event-post-single.js?ver=event-post/js/event-post-editor.js?ver=event-post/js/event-post-blocks.js?ver=

HTML / DOM Fingerprints

CSS Classes
event-postevent-post-widgetevent-post-listevent-post-timelineevent-post-mapevent-post-calendarevent-post-calendar-widgetevent-post-single+5 more
HTML Comments
<!-- The main class where everything begins. --><!-- Post metas --><!-- Post metas related to location --><!-- Post metas related to status -->+4 more
Data Attributes
data-event-begindata-event-enddata-event-colordata-event-icondata-geo-addressdata-geo-latitude+6 more
JS Globals
EventPosteventPostAdmineventPostCalendareventPostTimelineeventPostMapeventPostSingle+2 more
REST Endpoints
/wp-json/event-post/v1/events/wp-json/event-post/v1/settings
Shortcode Output
[event_post_list][event_post_timeline][event_post_map][event_post_calendar]
FAQ

Frequently Asked Questions about Event post