WP-Safety

EventON – Events Calendar Security & Risk Analysis

wordpress.org/plugins/eventon-lite

Create beautiful, responsive event calendars with unlimited events, repeating schedules, virtual support, and a sleek minimal design!

6K active installs v2.5 PHP + WP 6.0+ Updated Mar 3, 2026
calendarevent-calendarevent-managementeventsvirtual-events
85
A · Safe
CVEs total12
Unpatched0
Last CVEAug 14, 2025
Plugin page Download
Safety Verdict

Is EventON – Events Calendar Safe to Use in 2026?

Generally Safe

Score 85/100

EventON – Events Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Aug 14, 2025Updated 1mo ago
Risk Assessment

Eventon-Lite v2.5 exhibits a mixed security posture, with some positive aspects offset by significant concerns. The plugin demonstrates a reasonable effort towards secure coding practices, evidenced by a majority of SQL queries using prepared statements and a high percentage of properly escaped output. It also implements a good number of nonce and capability checks. However, the presence of two AJAX handlers without authentication checks presents a direct and exploitable attack surface. Furthermore, the static analysis reveals the use of dangerous functions like `preg_replace` with the 'e' modifier and `unserialize`, which can be potent vectors for code injection if not handled with extreme care. The taint analysis, while showing no critical or high severity flows, indicates eight flows with unsanitized paths, suggesting potential for vulnerabilities even if not immediately critical.

The plugin's vulnerability history is a major red flag. A total of 12 known CVEs, including one critical and three high-severity, point to a pattern of recurring security weaknesses. Common vulnerability types such as exposure of sensitive information, remote file inclusion, missing authorization, and cross-site scripting indicate systemic issues in how user input is handled and access is controlled. The fact that there are currently no unpatched vulnerabilities is a positive sign, but the historical prevalence of critical and high-severity flaws suggests that the underlying codebase may have deep-seated security flaws that require thorough and ongoing remediation.

In conclusion, while Eventon-Lite v2.5 shows some commitment to secure coding, the combination of unprotected AJAX endpoints, dangerous function usage, unsanitized taint flows, and a substantial history of critical and high-severity vulnerabilities necessitates a cautious approach. Users should be aware of the potential risks, and developers should prioritize addressing the identified weaknesses comprehensively.

Key Concerns

  • Unprotected AJAX handlers
  • Use of dangerous function: preg_replace(/e)
  • Use of dangerous function: unserialize
  • Flows with unsanitized paths in taint analysis
  • Total known CVEs (historically significant)
  • Critical severity CVEs in history
  • High severity CVEs in history
  • Vulnerability type: PHP Remote File Inclusion
  • Vulnerability type: Missing Authorization
  • Vulnerability type: Cross-site Scripting
Vulnerabilities
12

EventON – Events Calendar Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
3 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
7
Low
1

12 total CVEs

CVE-2025-8091medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

EventON Lite <= 2.4.7 - Authenticated (Contributor+) Information Disclosure

Aug 14, 2025 Patched in 2.4.8 (83d)
CVE-2025-48116medium · 5.3Missing Authorization

EventON <= 2.4.4 - Missing Authorization

May 16, 2025 Patched in 2.4.5 (14d)
CVE-2025-47494high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

EventON <= 2.4.1 - Authenticated (Contributor+) Local File Inclusion

May 7, 2025 Patched in 2.4.2 (7d)
CVE-2025-32614critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

EventON <= 2.4 - Unauthenticated Local File Inclusion

Apr 9, 2025 Patched in 2.4.1 (27d)
CVE-2025-32160high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

EventON <= 2.4.1 - Authenticated (Contributor+) Local File Inclusion

Apr 4, 2025 Patched in 2.4.2 (32d)
CVE-2024-6910medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EventON <= 2.2.16 - Authenticated (Admin+) Stored Cross-Site Scripting

Aug 19, 2024 Patched in 2.2.17 (25d)
CVE-2024-6180high · 7.2Missing Authorization

EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates

Jul 8, 2024 Patched in 2.2.16 (22d)
CVE-2024-33940medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EventON <= 2.2.14 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 30, 2024 Patched in 2.2.15 (102d)
CVE-2023-6046low · 3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EventON <= 2.1.7 - Authenticated (Admin+) HTML Injection

Nov 9, 2023 Patched in 2.2 (90d)
CVE-2023-4635medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EventON <= 2.2.2 - Reflected Cross-Site Scripting

Oct 20, 2023 Patched in 2.2.3 (95d)
CVE-2023-4388medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EventON <= 2.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 21, 2023 Patched in 2.2 (124d)
CVE-2023-2796medium · 5.3Missing Authorization

EventON <= 2.1 - Missing Authorization to Event Access

Jun 19, 2023 Patched in 2.1.2 (218d)
Code Analysis
Analyzed Mar 16, 2026

EventON – Events Calendar Code Analysis

Dangerous Functions
7
Raw SQL Queries
7
15 prepared
Unescaped Output
412
1231 escaped
Nonce Checks
8
Capability Checks
12
File Operations
2
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

preg_replace(/e)preg_replace('/eincludes\admin\eventon-admin-functions.php:201
unserializereturn unserialize($option_arr);includes\admin\eventon-admin-functions.php:52
unserialize$repeats = unserialize($this->meta_data['repeat_intervals'][0]);includes\class-event.php:717
unserializereturn unserialize($this->meta_data['repeat_intervals'][0]);includes\class-event.php:726
unserializereturn count(unserialize($this->meta_data['repeat_intervals'][0])) -1;includes\class-event.php:732
unserializeif($O1 && count($O1)>0) $OUT[$C->taxonomy][$B->term_taxonomy_id] = unserialize( $O1[0]->option_valueincludes\class-event.php:925
unserialize$intervals = unserialize($post_meta['repeat_intervals'][0]);includes\class-evo-datetime.php:26

Bundled Libraries

Select2

SQL Query Safety

68% prepared22 total queries

Output Escaping

75% escaped1643 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

13 flows8 with unsanitized paths
event_tax_save_changes (includes\admin\class-admin-taxonomies_editor.php:133)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

EventON – Events Calendar Attack Surface

Entry Points10
Unprotected2

AJAX Handlers 2

authwp_ajax_eventon-feature-eventincludes\admin\class-admin-ajax.php:55
noprivwp_ajax_eventon-feature-eventincludes\admin\class-admin-ajax.php:56

Shortcodes 8

[add_ajde_evcal] includes\class-evo-shortcodes.php:18
[add_eventon] includes\class-evo-shortcodes.php:19
[add_eventon_list] includes\class-evo-shortcodes.php:20
[add_single_eventon] includes\class-evo-shortcodes.php:21
[add_eventon_now] includes\class-evo-shortcodes.php:22
[add_eventon_sv] includes\class-evo-shortcodes.php:23
[test_eventon_shortcode] includes\class-evo-shortcodes.php:24
[add_eventon_search] includes\class-search.php:13
WordPress Hooks 140
actionadmin_initincludes\admin\class-admin-taxonomies.php:18
actionevent_type_pre_add_formincludes\admin\class-admin-taxonomies.php:19
actionadmin_initincludes\admin\class-admin-taxonomies.php:20
actionadmin_initincludes\admin\class-admin-taxonomies.php:21
filtermanage_edit-event_type_columnsincludes\admin\class-admin-taxonomies.php:24
filtermanage_event_type_custom_columnincludes\admin\class-admin-taxonomies.php:25
filtermanage_edit-event_type_2_columnsincludes\admin\class-admin-taxonomies.php:28
filtermanage_event_type_2_custom_columnincludes\admin\class-admin-taxonomies.php:29
actionevent_type_add_form_fieldsincludes\admin\class-admin-taxonomies.php:31
actionevent_type_edit_form_fieldsincludes\admin\class-admin-taxonomies.php:33
actionedited_event_typeincludes\admin\class-admin-taxonomies.php:34
actioncreate_event_typeincludes\admin\class-admin-taxonomies.php:35
actionevent_location_term_edit_form_topincludes\admin\class-admin-taxonomies.php:38
filtermanage_edit-event_location_columnsincludes\admin\class-admin-taxonomies.php:39
filtermanage_event_location_custom_columnincludes\admin\class-admin-taxonomies.php:40
actionevent_location_add_form_fieldsincludes\admin\class-admin-taxonomies.php:41
actionevent_location_edit_form_fieldsincludes\admin\class-admin-taxonomies.php:42
actionedited_event_locationincludes\admin\class-admin-taxonomies.php:43
actioncreate_event_locationincludes\admin\class-admin-taxonomies.php:44
actionevent_location_edit_formincludes\admin\class-admin-taxonomies.php:45
actionevent_organizer_edit_formincludes\admin\class-admin-taxonomies.php:46
actionevent_organizer_term_edit_form_topincludes\admin\class-admin-taxonomies.php:49
filtermanage_edit-event_organizer_columnsincludes\admin\class-admin-taxonomies.php:50
filtermanage_event_organizer_custom_columnincludes\admin\class-admin-taxonomies.php:51
actionevent_organizer_add_form_fieldsincludes\admin\class-admin-taxonomies.php:52
actionevent_organizer_edit_form_fieldsincludes\admin\class-admin-taxonomies.php:53
actionedited_event_organizerincludes\admin\class-admin-taxonomies.php:54
actioncreate_event_organizerincludes\admin\class-admin-taxonomies.php:55
actionadmin_menuincludes\admin\class-evo-admin.php:24
actionadmin_initincludes\admin\class-evo-admin.php:25
actionadmin_action_duplicate_eventincludes\admin\class-evo-admin.php:27
actionmedia_buttonsincludes\admin\class-evo-admin.php:30
filtertiny_mce_versionincludes\admin\class-evo-admin.php:31
filterdisplay_post_statesincludes\admin\class-evo-admin.php:33
actionevo_addon_version_changeincludes\admin\class-evo-admin.php:133
filtermce_external_pluginsincludes\admin\class-evo-admin.php:416
filtermce_buttonsincludes\admin\class-evo-admin.php:419
filtermanage_edit-ajde_events_columnsincludes\admin\post_types\ajde_events.php:16
actionrestrict_manage_postsincludes\admin\post_types\ajde_events.php:19
filterquery_varsincludes\admin\post_types\ajde_events.php:20
filtermonths_dropdown_resultsincludes\admin\post_types\ajde_events.php:21
actionpre_get_postsincludes\admin\post_types\ajde_events.php:22
filterupdate_postmeta_cacheincludes\admin\post_types\ajde_events.php:24
actionmanage_ajde_events_posts_custom_columnincludes\admin\post_types\ajde_events.php:26
filtermanage_edit-ajde_events_sortable_columnsincludes\admin\post_types\ajde_events.php:27
filterrequestincludes\admin\post_types\ajde_events.php:28
filterlist_table_primary_columnincludes\admin\post_types\ajde_events.php:30
filterpost_row_actionsincludes\admin\post_types\ajde_events.php:31
actionpost_submitbox_misc_actionsincludes\admin\post_types\ajde_events.php:32
actionbulk_edit_custom_boxincludes\admin\post_types\ajde_events.php:34
actionquick_edit_custom_boxincludes\admin\post_types\ajde_events.php:35
actionadmin_enqueue_scriptsincludes\admin\post_types\ajde_events.php:36
actionsave_postincludes\admin\post_types\ajde_events.php:37
actionevo_event_bulk_quick_editincludes\admin\post_types\ajde_events.php:38
actionsave_postincludes\admin\post_types\ajde_events.php:635
actionadd_meta_boxesincludes\admin\post_types\class-meta_boxes.php:19
actionsave_postincludes\admin\post_types\class-meta_boxes.php:20
actionadmin_menuincludes\admin\welcome.php:22
actionadmin_headincludes\admin\welcome.php:23
actionadmin_initincludes\admin\welcome.php:24
filterevo_cal_above_header_btnincludes\calendar\class-calendar-filtering.php:13
actionevo_cal_above_header_btns_endincludes\calendar\class-calendar-filtering.php:14
actioneventon_below_sortsincludes\calendar\class-calendar-schedule.php:10
filterevo_global_dataincludes\calendar\class-calendar-schedule.php:11
filterevo_init_ajax_dataincludes\calendar\class-calendar-schedule.php:12
filtereventon_cal_classincludes\calendar\class-calendar-schedule.php:19
actioninitincludes\calendar\class-calendar_generator.php:80
actionwidgets_initincludes\class-eventon.php:43
actionafter_setup_themeincludes\class-eventon.php:44
actionafter_setup_themeincludes\class-eventon.php:45
actioninitincludes\class-eventon.php:46
actioninitincludes\class-eventon.php:47
actioninitincludes\class-evo-ajax.php:19
actiontemplate_redirectincludes\class-evo-ajax.php:20
actionadmin_initincludes\class-evo-install.php:23
filterplugin_row_metaincludes\class-evo-install.php:24
actioninitincludes\class-evo-post-types.php:23
actioninitincludes\class-evo-post-types.php:24
filtereventon_shortcode_defaultsincludes\class-evo-shortcodes.php:160
filtertemplate_includeincludes\class-evo-template-loader.php:25
filterget_block_templatesincludes\class-evo-template-loader.php:30
filtereventon_shortcode_defaultsincludes\class-evo-wp-widgets.php:216
actioninitincludes\class-frontend.php:29
actionwp_enqueue_scriptsincludes\class-frontend.php:37
actionwp_enqueue_scriptsincludes\class-frontend.php:38
actionwp_enqueue_scriptsincludes\class-frontend.php:43
actionwp_enqueue_scriptsincludes\class-frontend.php:48
actionwp_enqueue_scriptsincludes\class-frontend.php:49
actionwp_headincludes\class-frontend.php:55
actionwp_headincludes\class-frontend.php:59
filterquery_varsincludes\class-frontend.php:64
actioninitincludes\class-frontend.php:65
actionwp_footerincludes\class-frontend.php:68
filterheartbeat_receivedincludes\class-frontend.php:71
filterheartbeat_nopriv_receivedincludes\class-frontend.php:72
filterheartbeat_settingsincludes\class-frontend.php:73
filterwp_kses_allowed_htmlincludes\class-frontend.php:76
actioninitincludes\class-frontend.php:79
filterquery_varsincludes\class-frontend.php:80
actiontemplate_redirectincludes\class-frontend.php:81
actionwp_headincludes\class-frontend.php:483
actionwp_loadedincludes\class-rest-api.php:12
actionrest_api_initincludes\class-rest-api.php:13
filtereventon_shortcode_popupincludes\class-search.php:14
filterevo_cal_above_header_btnincludes\class-search.php:19
filterevo_cal_above_header_contentincludes\class-search.php:20
actionevo_cal_footerincludes\class-search.php:21
actionpre_get_postsincludes\class-search.php:24
filterevo_cpt_search_visibilityincludes\class-search.php:25
actionevo_page_footerincludes\elements\class-lightboxes.php:11
actionadmin_footerincludes\elements\class-lightboxes.php:12
actionwp_footerincludes\elements\class-lightboxes.php:13
actioninitincludes\integration\blocks\class-evo-blocks.php:12
filterblock_categories_allincludes\integration\blocks\class-evo-blocks.php:13
actionvc_before_initincludes\integration\class-intergration-visualcomposer.php:9
actionelementor/widgets/registerincludes\integration\elementor\class-elementor-init.php:17
actionelementor/editor/wp_headincludes\integration\elementor\class-elementor-init.php:19
actionelementor/editor/footerincludes\integration\elementor\class-elementor-init.php:20
actionelementor/editor/before_enqueue_scriptsincludes\integration\elementor\class-elementor-init.php:22
actionelementor/elements/categories_registeredincludes\integration\elementor\class-elementor-init.php:24
actionadmin_initincludes\integration\openai\class-ai.php:9
filtereventon_settings_3rdpartyincludes\integration\openai\class-ai.php:10
actionevo_admin_event_only_pageincludes\integration\openai\class-ai.php:13
actionadmin_headincludes\integration\openai\class-ai.php:259
filterinittemplates\_evo-template-control.php:10
actioneventon_before_headertemplates\_evo-template-functions.php:10
actioneventon_before_main_contenttemplates\_evo-template-functions.php:11
actioneventon_single_content_wrappertemplates\_evo-template-functions.php:12
actioneventon_single_after_looptemplates\_evo-template-functions.php:14
actioneventon_before_single_eventtemplates\_evo-template-functions.php:16
actioneventon_before_event_contenttemplates\_evo-template-functions.php:17
actioneventon_before_single_event_summarytemplates\_evo-template-functions.php:18
actioneventon_single_event_summarytemplates\_evo-template-functions.php:19
actioneventon_after_main_contenttemplates\_evo-template-functions.php:21
actioneventon_single_after_looptemplates\_evo-template-functions.php:22
actioneventon_after_event_contenttemplates\_evo-template-functions.php:23
actioneventon_after_single_event_summarytemplates\_evo-template-functions.php:24
actioneventon_after_single_eventtemplates\_evo-template-functions.php:25
actionevo_taxlb_upcoming_eventstemplates\_evo-template-functions.php:28
filterpost_classtemplates\_evo-template-functions.php:45
Maintenance & Trust

EventON – Events Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version
Downloads170K

Community Trust

Rating80/100
Number of ratings42
Active installs6K
Alternatives

EventON – Events Calendar Alternatives

Sugar Calendar – Events Calendar, Event Tickets, and Events Management Platform

Sugar Calendar – Events Calendar, Event Tickets, and Events Management Platform

sugar-calendar-lite

B
76

Easily manage events and sell tickets on your WordPress site. Sugar Calendar is easy-to-use, reliable, and exceptionally powerful. See for yourself.

10K 1 unpatched
Events Widgets For Elementor And The Events Calendar

Events Widgets For Elementor And The Events Calendar

events-widgets-for-elementor-and-the-events-calendar

A
99

The Events Calendar Elementor widgets help you manage and display an upcoming events list with date, time, venue and event ticket booking details.

10K 1 CVE
Events Shortcodes For The Events Calendar

Events Shortcodes For The Events Calendar

template-events-calendar

A
99

Add The Events Calendar shortcode or Gutenberg block to show upcoming events list with event details on any WordPress page using smart event filters.

10K 1 CVE
Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)

wp-event-solution

B
82

Create and manage events with a flexible WordPress events calendar plugin. Add recurring events, RSVP, ticket booking, and WooCommerce ticket selling &hellip;

10K 19 CVEs
WP FullCalendar

WP FullCalendar

wp-fullcalendar

C
52

Uses the FullCalendar library to create a stunning calendar view of events, posts and other custom post types

9K 2 unpatched
Developer Profile

EventON – Events Calendar Developer Profile

Ashan Perera

2 plugins · 6K total installs

82
trust score
Avg Security Score
92/100
Avg Patch Time
72 days
View full developer profile
Detection Fingerprints

How We Detect EventON – Events Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/eventon-lite/assets/images//wp-content/plugins/eventon-lite/assets/css/eventon_styles.css/wp-content/plugins/eventon-lite/assets/js/eventon_scripts.js/wp-content/plugins/eventon-lite/includes/admin/assets/css/evo_admin_styles.css/wp-content/plugins/eventon-lite/includes/admin/assets/js/evo_admin_scripts.js/wp-content/plugins/eventon-lite/includes/admin/assets/js/admin/taxonomy.js
Script Paths
/wp-content/plugins/eventon-lite/assets/js/eventon_scripts.js/wp-content/plugins/eventon-lite/includes/admin/assets/js/evo_admin_scripts.js/wp-content/plugins/eventon-lite/includes/admin/assets/js/admin/taxonomy.js
Version Parameters
eventon-lite/assets/css/eventon_styles.css?ver=eventon-lite/assets/js/eventon_scripts.js?ver=eventon-lite/includes/admin/assets/css/evo_admin_styles.css?ver=eventon-lite/includes/admin/assets/js/evo_admin_scripts.js?ver=eventon-lite/includes/admin/assets/js/admin/taxonomy.js?ver=

HTML / DOM Fingerprints

CSS Classes
evo_calendar_wrapperevo_event_listevo_event_detailsevo_filter_containerevo_metafieldevo_admin_fieldeventon_shortcode_generator
HTML Comments
<!-- eventon --><!-- eventON Settings Page --><!-- eventon menu --><!-- eventON Lite - Event Calendar -->
Data Attributes
data-eventon-eventiddata-eventon-daydata-eventon-monthdata-eventon-yeardata-evo-colordata-evo-id
JS Globals
eventon_localeeventon_paramsevo_admin_script_varsevo_global_vars
Shortcode Output
[add_eventon][eventon_full_calendar][eventon_searchbar][eventon_categories]
FAQ

Frequently Asked Questions about EventON – Events Calendar