
Events Manager – Calendar, Bookings, Tickets, and more! Security & Risk Analysis
wordpress.org/plugins/events-managerEvents calendar with bookings, scheduling, appointments, event registration, tickets, recurring events, and venue management.
Is Events Manager – Calendar, Bookings, Tickets, and more! Safe to Use in 2026?
Generally Safe
Score 86/100Events Manager – Calendar, Bookings, Tickets, and more! has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.
The Events Manager plugin version 7.2.3.1 presents a mixed security posture. While it demonstrates strengths in SQL query sanitization (71% prepared statements) and utilizes nonces and capability checks extensively (79 and 77 respectively), significant concerns remain. The plugin has a substantial attack surface with 45 entry points, 15 of which lack authentication checks, making them prime targets for unauthorized access or manipulation. Furthermore, the presence of dangerous functions like `unserialize` and identified taint flows with unsanitized paths, including three high-severity flows, indicate potential for code execution or sensitive data compromise.
The plugin's vulnerability history is concerning, with 34 known CVEs, including one critical and four high-severity past vulnerabilities. The frequent occurrence of issues like SQL injection, missing authorization, and injection vulnerabilities suggests recurring weaknesses in input validation and access control. The fact that the last known vulnerability was very recent (2025-12-17) and that there are currently no unpatched CVEs is a positive sign, but the historical pattern highlights a need for more robust and consistent security practices. Overall, while some good security practices are in place, the number of unprotected entry points, dangerous code functions, high-severity taint flows, and a history of numerous vulnerabilities necessitate caution and prompt patching.
Key Concerns
- 15 unprotected AJAX handlers
- 3 high severity taint flows
- Dangerous function: unserialize
- 20 flows with unsanitized paths
- History of 34 CVEs, 1 critical, 4 high
- Vulnerability: Missing Authorization
- Vulnerability: SQL Injection
- Vulnerability: Injection
- Vulnerability: Cross-site Scripting
Events Manager – Calendar, Bookings, Tickets, and more! Security Vulnerabilities
CVEs by Year
Severity Breakdown
34 total CVEs
Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode
Events Manager – Calendar, Bookings, Tickets, and more! <= 7.2.2.2 - Cross-Site Request Forgery to Location Deletion
Events Manager <= 7.2.2.2 - Unauthenticated Information Exposure
Events Manager <= 7.0.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes
Events Manager <= 7.0.3 - Unauthenticated SQL Injection via `orderby` Parameter
Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter
Events Manager – Calendar, Bookings, Tickets, and more! <= 6.6.4.1 - Missing Authorization
Events Manager – Calendar, Bookings, Tickets, and more! <= 6.6.3 - Unauthenticated SQL Injection via Event Status Parameter
Events Manager <= 6.4.8 - Reflected Cross-Site Scripting
Events Manager – Calendar, Bookings, Tickets, and more! <= 6.4.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes
Events Manager <= 6.4.6.4 - Missing Authorization
Events Manager <= 6.4.7.1 - Cross-Site Request Forgery
Events Manager <= 6.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Events Manager <= 6.4.7.1 - Cross-Site Request Forgery
Events Manager <= 6.4.6.4 - Authenticated(Administator+) Stored Cross-Site Scripting via settings
Events Manager <= 6.4.5 - Reflected Cross-Site Scripting
Events Manager <= 5.9.7.3 - Admin+ SQL Injection
Events Manager <= 5.9.7.3 - Cross-Site Scripting
Events Manager < 5.9.7.2 & Events Manager Pro < 2.6.7.2 - Unauthenticated CSV Injection
Events Manager <= 5.9.7.1 - CSV Injection
Events Manager <= 5.9.5 - Authenticated Stored Cross-Site Scripting
Events Manager <= 5.9.4 - Cross-Site Scripting
Events Manager <= 5.8.1.3 - Stored Cross-Site Scripting
Events Manager <= 5.8.1.1 - Cross-Site Scripting
Events Manager <= 5.5.7.1 - Cross-Site Scripting
Events Manager <= 5.5.7.1 - Code Injection
Events Manager < 5.5.7.1 - Cross-Site Scripting
Events Manager < 5.5.7 - Cross-Site Scripting
Events Manager < 5.3.5 & Events Manager Pro < 2.2.9 - Cross-Site Scripting
Events Manager < 5.3.9 - Cross-Site Scripting
Events Manager <= 5.5.1 - Multiple Cross-Site Scripting
Events Manager < 5.5 - Cross-Site Scripting
Events Manager <= 5.3.6 - Multiple Cross-Site Scripting
Events Manager < 5.1.7 - Cross-Site Scripting
Events Manager – Calendar, Bookings, Tickets, and more! Release Timeline
Events Manager – Calendar, Bookings, Tickets, and more! Code Analysis
Dangerous Functions Found
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
Events Manager – Calendar, Bookings, Tickets, and more! Attack Surface
AJAX Handlers 18
Shortcodes 27
WordPress Hooks 430
Scheduled Events 3
Maintenance & Trust
Events Manager – Calendar, Bookings, Tickets, and more! Maintenance & Trust
Maintenance Signals
Community Trust
Events Manager – Calendar, Bookings, Tickets, and more! Alternatives
LatePoint – Calendar Booking Plugin for Appointments and Events
latepoint
Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
wp-event-manager
Lightweight, scalable and full-featured event listings & management plugin for managing events & tickets from the Frontend and Backend.
Sugar Calendar – Events Calendar, Event Tickets, and Events Management Platform
sugar-calendar-lite
Easily manage events and sell tickets on your WordPress site. Sugar Calendar is easy-to-use, reliable, and exceptionally powerful. See for yourself.
Registrations for the Events Calendar – Event Registration Plugin
registrations-for-the-events-calendar
Collect and manage event registrations with a customizable form and email template. The best event registration plugin for The Events Calendar.
Events Calendar by FooEvents
fooevents-calendar
The simplest way to display any post, page or custom post type in a dynamic events calendar on your WordPress website.
Events Manager – Calendar, Bookings, Tickets, and more! Developer Profile
13 plugins · 176K total installs
How We Detect Events Manager – Calendar, Bookings, Tickets, and more!
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/events-manager/css/events-manager.css/wp-content/plugins/events-manager/css/events-manager-bookings.css/wp-content/plugins/events-manager/css/events-manager-admin.css/wp-content/plugins/events-manager/css/jquery-ui.css/wp-content/plugins/events-manager/css/em-slider.css/wp-content/plugins/events-manager/css/em-booking-form.css/wp-content/plugins/events-manager/css/em-print.css/wp-content/plugins/events-manager/css/em-admin-dashboard.css+50 more/wp-content/plugins/events-manager/js/events-manager.js/wp-content/plugins/events-manager/js/em-frontend.js/wp-content/plugins/events-manager/js/em-bookings-frontend.js/wp-content/plugins/events-manager/js/em-admin.js/wp-content/plugins/events-manager/js/em-locations-admin.js/wp-content/plugins/events-manager/js/em-events-admin.js+26 moreevents-manager/css/events-manager.css?ver=events-manager/js/events-manager.js?ver=events-manager/css/events-manager-bookings.css?ver=events-manager/js/em-frontend.js?ver=events-manager/js/em-bookings-frontend.js?ver=events-manager/css/events-manager-admin.css?ver=events-manager/js/em-admin.js?ver=events-manager/js/em-locations-admin.js?ver=events-manager/js/em-events-admin.js?ver=events-manager/js/em-bookings-admin.js?ver=events-manager/js/em-settings-admin.js?ver=events-manager/js/em-calendar.js?ver=events-manager/js/em-map.js?ver=events-manager/js/em-search.js?ver=events-manager/js/em-recurring.js?ver=events-manager/css/jquery-ui.css?ver=events-manager/js/jquery-ui.min.js?ver=events-manager/css/em-slider.css?ver=events-manager/css/em-booking-form.css?ver=events-manager/css/em-print.css?ver=events-manager/css/em-admin-dashboard.css?ver=events-manager/js/em-admin-dashboard.js?ver=events-manager/css/em-locations-admin.css?ver=events-manager/css/em-admin-privacy.css?ver=events-manager/js/em-admin-privacy.js?ver=events-manager/css/em-admin-events.css?ver=events-manager/css/em-admin-bookings.css?ver=events-manager/css/em-admin-settings.css?ver=events-manager/css/em-admin-help.css?ver=events-manager/js/em-admin-help.js?ver=events-manager/css/em-admin-docs.css?ver=events-manager/js/em-admin-docs.js?ver=events-manager/css/em-admin-modals.css?ver=events-manager/js/em-admin-modals.js?ver=events-manager/css/em-admin-notices.css?ver=events-manager/js/em-admin-notices.js?ver=events-manager/css/em-admin-reports.css?ver=events-manager/js/em-admin-reports.js?ver=events-manager/css/em-admin-categories.css?ver=events-manager/js/em-admin-categories.js?ver=events-manager/css/em-admin-tags.css?ver=events-manager/js/em-admin-tags.js?ver=events-manager/css/em-admin-locations.css?ver=events-manager/js/em-admin-locations.js?ver=events-manager/css/em-admin-people.css?ver=events-manager/js/em-admin-people.js?ver=events-manager/css/em-admin-tickets.css?ver=events-manager/js/em-admin-tickets.js?ver=events-manager/css/em-admin-recurrences.css?ver=events-manager/js/em-admin-recurrences.js?ver=events-manager/css/em-admin-custom-fields.css?ver=events-manager/js/em-admin-custom-fields.js?ver=events-manager/css/em-admin-consent.css?ver=events-manager/js/em-admin-consent.js?ver=events-manager/js/em-admin-taxonomy.js?ver=events-manager/js/admin-tickets-booking.js?ver=events-manager/js/tinymce-plugin.js?ver=events-manager/js/em-repeater.js?ver=HTML / DOM Fingerprints
em-booking-datesem-booking-timesem-booking-seatsem-booking-priceem-booking-contact-detailsem-booking-formem-tickets-selectorem-tickets-single+39 more<!-- /wp:events-manager/events --><!-- /wp:events-manager/locations --><!-- /wp:events-manager/calendar --><!-- EM_POST_TYPE_EVENT -->+885 moredata-em-iddata-em-post-iddata-em-event-iddata-em-location-iddata-em-booking-iddata-em-ticket-id+206 moreEMEM_AJAX_URLEM_AJAXEM_AJAX_SEARCHEM_BOOKINGS_AJAX_URLEM_BOOKINGS_AJAX+417 more/wp-json/events-manager/v1/events/wp-json/events-manager/v1/locations/wp-json/events-manager/v1/bookings/wp-json/events-manager/v1/tickets/wp-json/events-manager/v1/categories/wp-json/events-manager/v1/tags/wp-json/events-manager/v1/people/wp-json/events-manager/v1/recurrences/wp-json/events-manager/v1/custom_fields/wp-json/events-manager/v1/consent/wp-json/events-manager/v1/taxonomy/wp-json/events-manager/v1/settings/wp-json/events-manager/v1/admin/dashboard/wp-json/events-manager/v1/admin/privacy/wp-json/events-manager/v1/admin/help/wp-json/events-manager/v1/admin/docs/wp-json/events-manager/v1/admin/modals/wp-json/events-manager/v1/admin/reports/wp-json/events-manager/v1/admin/categories/wp-json/events-manager/v1/admin/tags/wp-json/events-manager/v1/admin/locations/wp-json/events-manager/v1/admin/people/wp-json/events-manager/v1/admin/tickets/wp-json/events-manager/v1/admin/recurrences/wp-json/events-manager/v1/admin/custom_fields/wp-json/events-manager/v1/admin/consent/wp-json/events-manager/v1/admin/taxonomy/wp-json/events-manager/v1/admin/tickets_booking/wp-json/events-manager/v1/admin/notices/wp-json/events-manager/v1/admin/settings[events][/events][locations][/locations]