The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 08 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress
Vendors & Products Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress

Wed, 08 Oct 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Community Events <= 1.5.1 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-10-08T14:19:31.897Z

Reserved: 2025-09-16T21:30:38.762Z

Link: CVE-2025-10587

cve-icon Vulnrichment

Updated: 2025-10-08T14:19:29.117Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-10-08T04:16:15.437

Modified: 2025-10-08T19:38:09.863

Link: CVE-2025-10587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-10-08T13:35:03Z