WP Events Manager Cross-Site Request Forgery Vulnerability

MEDIUM (4.3) No Patch (2 days)
cwe-352phppluginrcesql-injectionwordpress

Threat Intelligence

Low Risk
EPSS Score: 0.01% chance of exploitation (percentile: 2%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is a popular extension used by many websites to manage events. This vulnerability allows attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Am I affected?

Specific version info not stated in the advisory.

Affected Products

WordPress.org / Events Manager

How to fix

To fix this issue:

  1. Update to Events Manager version 7.2.3 or later from the official WordPress plugin repository: https://wordpress.org/plugins/events-manager/
  2. If you can't update immediately, apply immediate mitigations:
    • Restrict network access to your WordPress installation (firewall it from the public internet)
    • Audit admin account activity for suspicious access patterns
    • Monitor for unauthorized token creation

References