Does WP Events Manager have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Events Manager have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Events Manager compatible with WordPress 6.8.5?

According to WordPress.org data, WP Events Manager 2.2.4 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is WP Events Manager compatible with PHP 7.4+?

WP Events Manager requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Events Manager updated?

WP Events Manager was last updated on Oct 27, 2025. Frequent updates are generally a positive security signal.

What is WP Events Manager's security score?

WP Events Manager has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Events Manager Security & Risk Analysis

wordpress.org/plugins/wp-events-manager

The all in one Events Manager for WordPress: create and manage events, sell event tickets online easily. No Coding Required.

30K active installs v2.2.4 PHP 7.4+ WP 6.0+ Updated Oct 27, 2025

bookingseventevent-managementeventsregistration

A · Safe

CVEs total2

Unpatched0

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is WP Events Manager Safe to Use in 2026?

Generally Safe

Score 97/100

WP Events Manager has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 22, 2025Updated 5mo ago

Risk Assessment

The "wp-events-manager" plugin v2.2.4 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and a high percentage of output escaping, along with robust nonce and capability checks on its entry points, which are thankfully zero in number. This indicates a conscious effort to mitigate common web vulnerabilities.

However, there are concerning signals. The presence of two flows with unsanitized paths in the taint analysis, one of which is rated as high severity, is a significant red flag. While the static analysis reports zero direct entry points without authentication, these taint flows suggest potential pathways for attackers to exploit if the sanitization is insufficient or if there are indirect entry points not captured by the static analysis. The vulnerability history, though currently showing no unpatched CVEs, reveals a past with two known vulnerabilities, including a high-severity SQL injection and a medium-severity missing authorization issue. This pattern suggests that the plugin has had exploitable flaws in the past, and while they are patched now, it warrants vigilance.

In conclusion, while the plugin has strengths in its handling of SQL and output, the high-severity unsanitized path flow and historical vulnerability patterns are notable weaknesses. The absence of direct unprotected entry points is a positive, but the potential for exploitation through the identified taint flows requires careful consideration and potentially further investigation.

Key Concerns

High severity unsanitized taint flow
Unsanitized path flow
Past high severity vulnerability (SQLi)
Past medium severity vulnerability (Auth)
File operations present
External HTTP requests present

Vulnerabilities

WP Events Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-57987medium · 6.5Missing Authorization

WP Events Manager <= 2.2.1 - Missing Authorization

Sep 22, 2025 Patched in 2.2.2 (17d)

CVE-2024-7717high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Events Manager <= 2.1.11 - Authenticated (Subscriber+) Time-Based SQL Injection

Aug 30, 2024 Patched in 2.2.0 (1d)

Code Analysis

Analyzed Mar 16, 2026

WP Events Manager Code Analysis

Dangerous Functions

Raw SQL Queries

18 prepared

Unescaped Output

296 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared18 total queries

Output Escaping

80% escaped371 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

11 flows2 with unsanitized paths

save_fields (inc\admin\class-wpems-admin-settings.php:203)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Events Manager Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 79

actionevent_admin_setting_page_checkout_sectioninc\abstracts\class-wpems-abstract-payment-gateway.php:34

actionevent_auth_payment_gateways_selectinc\abstracts\class-wpems-abstract-payment-gateway.php:35

filterevent_admin_settings_tabs_arrayinc\abstracts\class-wpems-abstract-setting.php:30

actiontp_event_before_enqueue_scriptsinc\admin\class-wpems-admin-assets.php:22

actionadmin_menuinc\admin\class-wpems-admin-menu.php:31

actionadd_meta_boxesinc\admin\class-wpems-admin-metaboxes.php:18

actionsave_postinc\admin\class-wpems-admin-metaboxes.php:19

actionadmin_noticesinc\admin\class-wpems-admin-metaboxes.php:20

actiontp_event_process_update_tp_event_metainc\admin\class-wpems-admin-metaboxes.php:25

actiontp_event_process_update_event_auth_book_metainc\admin\class-wpems-admin-metaboxes.php:26

actionadmin_initinc\admin\class-wpems-admin-settings.php:20

actiontp_event_process_update_event_auth_book_metainc\admin\metaboxes\class-wpems-admin-metabox-booking.php:24

filterevent_admin_settings_tabs_arrayinc\admin\settings\class-wpems-admin-setting-checkout.php:32

actionadmin_enqueue_scriptsinc\class-wpems-assets.php:39

actionwp_enqueue_scriptsinc\class-wpems-assets.php:40

actiontp_event_before_enqueue_scriptsinc\class-wpems-frontend-assets.php:22

filterwp_privacy_personal_data_exportersinc\class-wpems-gdpr.php:24

filterwp_privacy_personal_data_erasersinc\class-wpems-gdpr.php:25

actionafter_setup_themeinc\class-wpems-post-types.php:23

actioninitinc\class-wpems-post-types.php:24

actioninitinc\class-wpems-post-types.php:27

actioninitinc\class-wpems-post-types.php:29

actioninitinc\class-wpems-post-types.php:31

actioninitinc\class-wpems-post-types.php:34

filtermanage_tp_event_posts_columnsinc\class-wpems-post-types.php:37

actionmanage_tp_event_posts_custom_columninc\class-wpems-post-types.php:38

filtermanage_edit-tp_event_sortable_columnsinc\class-wpems-post-types.php:40

filterposts_join_pagedinc\class-wpems-post-types.php:41

filterposts_orderbyinc\class-wpems-post-types.php:42

filtermanage_edit-tp_event_category_columnsinc\class-wpems-post-types.php:44

filtermanage_event_auth_book_posts_columnsinc\class-wpems-post-types.php:46

actionmanage_event_auth_book_posts_custom_columninc\class-wpems-post-types.php:47

filterpost_updated_messagesinc\class-wpems-post-types.php:49

filterparse_queryinc\class-wpems-post-types.php:53

actionshutdowninc\class-wpems-session.php:44

actiontp_event_shortcode_wrapper_startinc\class-wpems-shortcodes.php:24

actiontp_event_shortcode_wrapper_endinc\class-wpems-shortcodes.php:25

actiontemplate_redirectinc\class-wpems-shortcodes.php:41

filtertemplate_includeinc\class-wpems-template.php:27

actioninitinc\class-wpems-user-process.php:31

actioninitinc\class-wpems-user-process.php:32

actioninitinc\class-wpems-user-process.php:33

actioninitinc\class-wpems-user-process.php:34

actioninitinc\class-wpems-user-process.php:35

actionwp_logoutinc\class-wpems-user-process.php:37

filterlogout_redirectinc\class-wpems-user-process.php:38

actiontp_event_updated_statusinc\emails\class-wpems-register-event.php:22

filterwp_mail_frominc\emails\class-wpems-register-event.php:54

filterwp_mail_from_nameinc\emails\class-wpems-register-event.php:56

actioninitinc\gateways\paypal\class-wpems-payment-gateway-paypal.php:50

actionwidgets_initinc\wpems-core-functions.php:15

filterthe_contentinc\wpems-core-functions.php:144

filterthe_postinc\wpems-core-functions.php:151

actiontp_event_before_main_contentinc\wpems-core-functions.php:310

actiontp_event_after_main_contentinc\wpems-core-functions.php:318

actiontp_event_before_single_eventinc\wpems-core-functions.php:326

actiontp_event_after_single_eventinc\wpems-core-functions.php:334

actiontp_event_single_event_titleinc\wpems-core-functions.php:343

actiontp_event_single_event_thumbnailinc\wpems-core-functions.php:351

actiontp_event_loop_event_countdowninc\wpems-core-functions.php:359

actiontp_event_after_event_loopinc\wpems-core-functions.php:367

actiontp_event_single_event_contentinc\wpems-core-functions.php:376

actiontp_event_after_single_eventinc\wpems-core-functions.php:388

actiontp_event_loop_event_locationinc\wpems-core-functions.php:396

actiontp_event_schedule_statusinc\wpems-core-functions.php:563

filterthe_contentinc\wpems-core-functions.php:1175

filterthe_contentinc\wpems-core-functions.php:1218

actiontp_event_create_new_bookinginc\wpems-core-functions.php:1226

actiontp_event_updated_statusinc\wpems-core-functions.php:1227

actiontp_event_cancel_payment_bookinginc\wpems-core-functions.php:1241

actionall_admin_noticesinc\wpems-core-functions.php:1279

filterparent_fileinc\wpems-core-functions.php:1366

actionnetwork_admin_noticesinc\wpems-core-functions.php:1371

actionadmin_noticesinc\wpems-core-functions.php:1372

actionadmin_noticesinc\wpems-core-functions.php:1376

filterpre_get_postsinc\wpems-core-functions.php:1409

actionthe_postinc\wpems-core-functions.php:1586

actioninitwp-events-manager.php:69

actioninitwp-events-manager.php:70

Scheduled Events 3

tp_event_schedule_status

wpems_cancel_payment_booking

Maintenance & Trust

WP Events Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 27, 2025

PHP min version7.4

Downloads695K

Community Trust

Rating56/100

Number of ratings12

Active installs30K

Alternatives

WP Events Manager Alternatives

WP Events Manager WooCommerce

wp-events-manager-woocommerce-payment-methods-integration

WP Events Manager Woocommerce Plugin - Support paying for booking of WP Events Manager plugin with the payment system provided by WooCommerce.

2K No CVEs

Registrations for the Events Calendar – Event Registration Plugin

registrations-for-the-events-calendar

Collect and manage event registrations with a customizable form and email template. The best event registration plugin for The Events Calendar.

8K 7 CVEs

Event Genius – Event Management, Registration, RSVP, and Tickets

event-genius

100

WordPress event management plugin built to be reliable and complete. Supports event registration, recurring events, tickets, and calendars.

100 No CVEs

Event Registration Pro Calendar

event-registration-pro-calendar

Event Registration Pro Calendar is a Wordpress Plugin for accepting online registrations for events, training classes, conferences, and seminars.

10 No CVEs

EventScout

eventscout

License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html EventScout is a complete event management solution for WordPress.

0 No CVEs

Developer Profile

WP Events Manager Developer Profile

ThimPress

21 plugins · 209K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

265 days

View full developer profile

Detection Fingerprints

How We Detect WP Events Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-events-manager/assets/css/frontend.css/wp-content/plugins/wp-events-manager/assets/css/frontend.min.css/wp-content/plugins/wp-events-manager/assets/js/frontend.js/wp-content/plugins/wp-events-manager/assets/js/frontend.min.js/wp-content/plugins/wp-events-manager/assets/js/moment.min.js/wp-content/plugins/wp-events-manager/assets/js/fullcalendar.min.js/wp-content/plugins/wp-events-manager/assets/js/backend.js/wp-content/plugins/wp-events-manager/assets/js/backend.min.js+9 more

Script Paths

/wp-content/plugins/wp-events-manager/assets/js/frontend.js/wp-content/plugins/wp-events-manager/assets/js/frontend.min.js/wp-content/plugins/wp-events-manager/assets/js/moment.min.js/wp-content/plugins/wp-events-manager/assets/js/fullcalendar.min.js/wp-content/plugins/wp-events-manager/assets/js/backend.js/wp-content/plugins/wp-events-manager/assets/js/backend.min.js+4 more

Version Parameters

wp-events-manager/assets/css/frontend.css?ver=wp-events-manager/assets/js/frontend.js?ver=wp-events-manager/assets/js/moment.min.js?ver=wp-events-manager/assets/js/fullcalendar.min.js?ver=wp-events-manager/assets/js/backend.js?ver=wp-events-manager/inc/libraries/bootstrap/css/bootstrap.min.css?ver=wp-events-manager/inc/libraries/magnific-popup/magnific-popup.css?ver=wp-events-manager/inc/libraries/magnific-popup/jquery.magnific-popup.min.js?ver=wp-events-manager/inc/libraries/select2/css/select2.min.css?ver=wp-events-manager/inc/libraries/select2/js/select2.min.js?ver=wp-events-manager/inc/libraries/swiper/css/swiper.min.css?ver=wp-events-manager/inc/libraries/swiper/js/swiper.min.js?ver=wp-events-manager/inc/libraries/tippy/tippy.min.css?ver=wp-events-manager/inc/libraries/tippy/tippy.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpems-main-contentwpems-event-titlewpems-event-datewpems-event-timewpems-event-locationwpems-event-descriptionwpems-single-eventwpems-booking-form+2 more

HTML Comments

Data Attributes

data-wpems-event-iddata-wpems-action

JS Globals

WPEMS_AJAX_URLWPEMS_FRONTEND_OBJwpems_localize

REST Endpoints

/wp-json/wpems/v1/events/wp-json/wpems/v1/bookings

Shortcode Output

[wp_events_manager][wp_events_manager_calendar][wp_events_manager_single_event][wp_events_manager_booking_form]

FAQ