Description
The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Community Events plugin for WordPress contains an unescaped SQL injection vulnerability in the event_venue parameter that can be exploited through the SQL query compiled by the plugin. This flaw, classified as CWE‑89, allows a user to inject arbitrary SQL statements. When successful, an attacker can read or modify data stored in the WordPress database, potentially exposing user credentials, content, and configuration settings, and compromising the confidentiality and integrity of the site content.

Affected Systems

All installations of the Community Events plugin version 1.5.1 or older from the vendor jackdewey are vulnerable. These versions are available on WordPress.org and may still be present on sites that have not applied updates since the fix was released.

Risk and Exploitability

The flaw has a CVSS score of 9.8, indicating a critical risk. The EPSS score is less than 1 %, suggesting that exploitation is currently low‑probability, yet the lack of a hard patch in the KEV catalog does not mitigate the potential for exploitation. Based on the description, the injection requires a user with Subscriber‑level access or higher; thus authentication is necessary, although some sources label it as unauthenticated. Exploitability requires the attacker to submit a crafted event_venue value in a request that the plugin processes, a step that is simple to automate once the vulnerability is known.

Generated by OpenCVE AI on April 22, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Community Events plugin to the latest available version which removes the unescaped event_venue parameter, ensuring that future releases employ prepared statements or proper escaping.
  • If an upgrade is not possible, temporarily disable the Community Events plugin or remove it entirely to eliminate the attack surface until a fix is available.
  • Restrict the Subscriber role and lower to prevent attackers with that level from submitting data to the plugin, and monitor all SQL queries for unexpected activity that could indicate exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress
Vendors & Products Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress

Thu, 09 Oct 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Community Events <= 1.5.1 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jackdewey Community Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:34.015Z

Reserved: 2025-09-16T21:29:38.515Z

Link: CVE-2025-10586

cve-icon Vulnrichment

Updated: 2025-10-09T17:55:36.596Z

cve-icon NVD

Status : Deferred

Published: 2025-10-09T02:15:40.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses