SQL Injection exists in Event Manager 1.0 via the event.php id parameter or the page.php slug parameter.