Does Events Manager – OpenStreetMaps have any unpatched vulnerabilities?

Yes — Events Manager – OpenStreetMaps currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Events Manager – OpenStreetMaps compatible with WordPress 6.0.11?

According to WordPress.org data, Events Manager – OpenStreetMaps 4.2.1 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

Is Events Manager – OpenStreetMaps compatible with PHP 7.3+?

Events Manager – OpenStreetMaps requires PHP 7.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Events Manager – OpenStreetMaps updated?

Events Manager – OpenStreetMaps was last updated on Mar 16, 2022. Frequent updates are generally a positive security signal.

What is Events Manager – OpenStreetMaps's security score?

Events Manager – OpenStreetMaps has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Events Manager – OpenStreetMaps Security & Risk Analysis

wordpress.org/plugins/stonehenge-em-osm

OpenStreetMaps for Events Manager. An add-on to replace Google Maps with OpenStreetMap. 0% Google, 100% open source.

700 active installs v4.2.1 PHP 7.3+ WP 5.4+ Updated Mar 16, 2022

events-managerfreemapsopenstreet

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Events Manager – OpenStreetMaps Safe to Use in 2026?

Use With Caution

Score 63/100

Events Manager – OpenStreetMaps has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 22, 2025Updated 4yr ago

Risk Assessment

The 'stonehenge-em-osm' plugin v4.2.1 presents a moderate security risk. While it demonstrates some positive security practices, such as a relatively low number of file operations and external HTTP requests, and a decent percentage of SQL queries using prepared statements and output escaping, significant concerns remain. The most alarming finding is the large attack surface with 17 AJAX handlers, 16 of which lack authentication checks. This is a major gateway for potential unauthorized actions. Furthermore, the presence of one unsanitized path in the taint analysis, even without critical or high severity, indicates a potential for vulnerability that needs investigation. The plugin's vulnerability history, including a known medium-severity CVE that is currently unpatched and related to Cross-Site Scripting, reinforces the need for caution. This suggests a pattern of past security flaws that have not been fully addressed, increasing the likelihood of future exploitable issues. Overall, the plugin has some strengths but is significantly weakened by its numerous unprotected entry points and a history of unpatched vulnerabilities.

Key Concerns

Unprotected AJAX handlers
Unsanitized path in taint analysis
Unpatched CVE (medium severity)
Missing nonce checks on AJAX
Less than 100% prepared SQL statements
Less than 100% properly escaped output

Vulnerabilities

Events Manager – OpenStreetMaps Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58265medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Events Manager – OpenStreetMaps <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Events Manager – OpenStreetMaps Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

159

224 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

56% prepared18 total queries

Output Escaping

58% escaped383 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

6 flows1 with unsanitized paths

em_ajax_search_and_pagination (originals\em-actions.php:712)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

16 unprotected

Events Manager – OpenStreetMaps Attack Surface

Entry Points21

Unprotected16

AJAX Handlers 17

authwp_ajax_osm_search_locationclasses\class-init.php:44

authwp_ajax_norpiv_osm_search_locationclasses\class-init.php:45

authwp_ajax_em_bookings_tableoriginals\em-actions.php:707

noprivwp_ajax_search_eventsoriginals\em-actions.php:743

authwp_ajax_search_eventsoriginals\em-actions.php:744

noprivwp_ajax_search_events_groupedoriginals\em-actions.php:745

authwp_ajax_search_events_groupedoriginals\em-actions.php:746

noprivwp_ajax_search_locationsoriginals\em-actions.php:747

authwp_ajax_search_locationsoriginals\em-actions.php:748

noprivwp_ajax_search_tagsoriginals\em-actions.php:749

authwp_ajax_search_tagsoriginals\em-actions.php:750

noprivwp_ajax_search_catsoriginals\em-actions.php:751

authwp_ajax_search_catsoriginals\em-actions.php:752

authwp_ajax_stonehenge_mailerstonehenge\class-core.php:25

authwp_ajax_stonehenge_formstonehenge\class-core.php:26

authwp_ajax_puc_v4_debug_check_nowstonehenge\server\Puc\v4p6\DebugBar\Extension.php:20

authwp_ajax_puc_v4_debug_request_infostonehenge\server\Puc\v4p6\DebugBar\PluginExtension.php:11

Shortcodes 4

[locations_map] classes\class-init.php:56

[events_map] classes\class-init.php:59

[locations-map] classes\class-init.php:63

[events-map] classes\class-init.php:65

WordPress Hooks 52

filterem_location_save_metaclasses\class-init.php:35

actionwp_loadedclasses\class-init.php:38

filterem_locate_templateclasses\class-init.php:39

actionadmin_footerclasses\class-init.php:40

actionadmin_initclasses\class-init.php:41

filterem_event_output_placeholderclasses\class-init.php:48

filterem_location_output_placeholderclasses\class-init.php:49

actionstonehenge_after_optionsclasses\class-init.php:52

actioninitoriginals\em-actions.php:696

filterplugin_action_linksstonehenge\class-core.php:20

filterplugin_row_metastonehenge\class-core.php:21

actionadmin_enqueue_scriptsstonehenge\class-core.php:22

actionwp_enqueue_scriptsstonehenge\class-core.php:23

filterstonehenge_contentstonehenge\class-core.php:24

actionstonehenge_menustonehenge\class-core.php:39

actionadmin_initstonehenge\class-core.php:42

actionadmin_enqueue_scriptsstonehenge\class-core.php:43

actionwp_enqueue_scriptsstonehenge\class-core.php:44

filterthe_editorstonehenge\class-core.php:580

filterwp_dropdown_pagesstonehenge\class-core.php:659

actionstonehenge_menustonehenge\class-forum.php:8

filterem_booking_output_placeholderstonehenge\class-functions.php:952

actionstonehenge_menustonehenge\class-plugins.php:11

actionstonehenge_menustonehenge\class-tickets.php:9

actionadmin_menustonehenge\init.php:28

filterdebug_bar_panelsstonehenge\server\Puc\v4p6\DebugBar\Extension.php:17

actiondebug_bar_enqueue_scriptsstonehenge\server\Puc\v4p6\DebugBar\Extension.php:18

filterupgrader_post_installstonehenge\server\Puc\v4p6\Plugin\Package.php:32

actiondelete_site_transient_update_pluginsstonehenge\server\Puc\v4p6\Plugin\Package.php:33

actionadmin_initstonehenge\server\Puc\v4p6\Plugin\Ui.php:17

filterplugin_row_metastonehenge\server\Puc\v4p6\Plugin\Ui.php:24

filterplugin_row_metastonehenge\server\Puc\v4p6\Plugin\Ui.php:25

actionall_admin_noticesstonehenge\server\Puc\v4p6\Plugin\Ui.php:26

filterplugins_apistonehenge\server\Puc\v4p6\Plugin\UpdateChecker.php:94

filtercron_schedulesstonehenge\server\Puc\v4p6\Scheduler.php:50

actionadmin_initstonehenge\server\Puc\v4p6\Scheduler.php:60

actionload-update-core.phpstonehenge\server\Puc\v4p6\Scheduler.php:64

actionupgrader_process_completestonehenge\server\Puc\v4p6\Scheduler.php:71

actioninitstonehenge\server\Puc\v4p6\UpdateChecker.php:88

filterupgrader_source_selectionstonehenge\server\Puc\v4p6\UpdateChecker.php:132

filterhttp_request_host_is_externalstonehenge\server\Puc\v4p6\UpdateChecker.php:136

actionplugins_loadedstonehenge\server\Puc\v4p6\UpdateChecker.php:142

actionpuc_api_errorstonehenge\server\Puc\v4p6\UpdateChecker.php:244

filterupgrader_pre_installstonehenge\server\Puc\v4p6\UpgraderStatus.php:17

filterupgrader_package_optionsstonehenge\server\Puc\v4p6\UpgraderStatus.php:18

filterupgrader_post_installstonehenge\server\Puc\v4p6\UpgraderStatus.php:19

actionupgrader_process_completestonehenge\server\Puc\v4p6\UpgraderStatus.php:20

filterupgrader_pre_downloadstonehenge\server\Puc\v4p6\Vcs\GitHubApi.php:362

filterhttp_request_argsstonehenge\server\Puc\v4p6\Vcs\GitHubApi.php:387

actionplugins_loadedstonehenge-em-osm.php:43

filterautoptimize_filter_js_excludestonehenge-em-osm.php:62

filterautoptimize_filter_css_excludestonehenge-em-osm.php:63

Maintenance & Trust

Events Manager – OpenStreetMaps Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedMar 16, 2022

PHP min version7.3

Downloads29K

Community Trust

Rating96/100

Number of ratings25

Active installs700

Alternatives

Events Manager – OpenStreetMaps Alternatives

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 21 CVEs

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

leaflet-maps-marker

The most comprehensive & user-friendly mapping solution for WordPress

10K 6 CVEs

Out of the Block: OpenStreetMap

ootb-openstreetmap

A map block for Gutenberg using OpenStreetMap and Leaflet that needs no API keys and works out of the box. Or should we say, ...Out of the Block?

800 1 CVE

Events Manager OpenStreetMap

events-manager-openstreetmap

Events Manager OpenStreetMap is a WordPress plugin for Events Manager. It allows you to replace Google Maps to OpenStreetMap on all your event locatio …

100 No CVEs

MatrixMaps – Interactive Maps, Map Blocks

geo-maps

100

Create beautiful, interactive maps for your WordPress website with MatrixMaps. The perfect solution for adding Google Maps and OpenStreetMap with unli …

100 No CVEs

Developer Profile

Events Manager – OpenStreetMaps Developer Profile

Stonehenge Creations

9 plugins · 1K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Events Manager – OpenStreetMaps

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/stonehenge-em-osm/assets/example-custom-markers.png

Script Paths

/wp-content/plugins/stonehenge-em-osm/classes/class-functions.php/wp-content/plugins/stonehenge-em-osm/classes/class-admin.php/wp-content/plugins/stonehenge-em-osm/classes/class-metabox.php/wp-content/plugins/stonehenge-em-osm/classes/class-customize.php/wp-content/plugins/stonehenge-em-osm/classes/class-maps.php/wp-content/plugins/stonehenge-em-osm/classes/class-init.php+1 more

Version Parameters

stonehenge-em-osm/style.css?ver=stonehenge-em-osm/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

em-osm-map-containercustom-marker-iconem-osm-custom-markerem-osm-custom-icon

HTML Comments

Data Attributes

data-em-osm-marker-shapedata-em-osm-marker-colordata-em-osm-marker-icondata-em-osm-marker-iconcolordata-em-osm-location-id

JS Globals

stonehenge_em_osm_optionsstonehenge_em_osm_markersstonehenge_em_osm_map_settings

Shortcode Output

<div class="em-osm-map-container"<div id="em-osm-map-<div class="em-osm-custom-marker"

FAQ