The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape some search parameter before outputing them in pages, which could lead to Cross-Site Scripting issues

The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to an SQL Injection

Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page.

The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.

The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links.

The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.

The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field.

The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.

The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post.

The events-manager plugin before 5.6 for WordPress has code injection.