eventespresso CVE Vulnerabilities & Metrics

Focus on eventespresso vulnerabilities and metrics.

Last updated: 01 Aug 2025, 22:25 UTC

About eventespresso Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with eventespresso. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total eventespresso CVEs: 5
Earliest CVE date: 14 Sep 2017, 13:29 UTC
Latest CVE date: 21 Aug 2024, 06:15 UTC

Latest CVE reference: CVE-2024-6883

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical eventespresso CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.66

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	2
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS eventespresso CVEs

These are the five CVEs with the highest CVSS scores for eventespresso, sorted by severity first and recency.

CVE-2017-14760 eventespresso Published on 27 Sep 2017, 08:29 UTC (CVSS: 7.5)
SQL Injection exists in /includes/event-management/index.php in the event-espresso-free (aka Event Espresso Lite) plugin v3.1.37.12.L for WordPress via the recurrence_id parameter to /wp-admin/admin.php.
CVE-2017-1002026 eventespresso Published on 14 Sep 2017, 13:29 UTC (CVSS: 6.5)
Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement.
CVE-2020-26153 eventespresso Published on 13 Jul 2021, 11:15 UTC (CVSS: 4.3)
A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2024-6883 eventespresso Published on 21 Aug 2024, 06:15 UTC (CVSS: 0)
The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some o...
CVE-2021-4404 eventespresso Published on 01 Jul 2023, 06:15 UTC (CVSS: 0)
The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as c...

All CVEs for eventespresso

CVE-2024-6883 eventespresso vulnerability CVSS: 0 21 Aug 2024, 06:15 UTC

The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings.

CVE-2021-4404 eventespresso vulnerability CVSS: 0 01 Jul 2023, 06:15 UTC

The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2020-26153 eventespresso vulnerability CVSS: 4.3 13 Jul 2021, 11:15 UTC

A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.

CVE-2017-14760 eventespresso vulnerability CVSS: 7.5 27 Sep 2017, 08:29 UTC

SQL Injection exists in /includes/event-management/index.php in the event-espresso-free (aka Event Espresso Lite) plugin v3.1.37.12.L for WordPress via the recurrence_id parameter to /wp-admin/admin.php.

CVE-2017-1002026 eventespresso vulnerability CVSS: 6.5 14 Sep 2017, 13:29 UTC

Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement.