Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jonkern WPListCal wplistcal allows SQL Injection.This issue affects WPListCal: from n/a through <= 1.3.5.
Published: 2025-01-09
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw arising from improper neutralization of special elements in an SQL command within the WPListCal plugin, identified as CWE‑89. This flaw allows an attacker to embed malicious SQL code that can read, modify, or delete arbitrary data stored in a WordPress site’s database. Consequently, an attacker could compromise the confidentiality, integrity, and availability of data managed by the plugin.

Affected Systems

The affected systems are WordPress installations that use the WPListCal plugin from vendor jonkern. All releases through version 1.3.5 are vulnerable, requiring users running any of these versions to upgrade or remove the plugin.

Risk and Exploitability

The CVSS score of 8.5 reflects a high‑severity threat, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is web‑based: an attacker can submit a crafted input payload to the plugin’s SQL queries, potentially targeting any exposed input field that is not sanitized. If successfully exploited, the attacker could achieve full database compromise, leading to data theft or site disruption.

Generated by OpenCVE AI on May 1, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPListCal to a version newer than 1.3.5 to eliminate the SQL injection flaw.
  • If the calendar functionality is no longer required, consider removing or disabling the WPListCal plugin entirely.
  • Deploy a Web Application Firewall or implement server‑side input validation to detect and reject malicious SQL payloads targeting the plugin.

Generated by OpenCVE AI on May 1, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2813 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jonathan Kern WPListCal allows SQL Injection.This issue affects WPListCal: from n/a through 1.3.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jonathan Kern WPListCal allows SQL Injection.This issue affects WPListCal: from n/a through 1.3.5. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jonkern WPListCal wplistcal allows SQL Injection.This issue affects WPListCal: from n/a through <= 1.3.5.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jonathan Kern WPListCal allows SQL Injection.This issue affects WPListCal: from n/a through 1.3.5.
Title WordPress WPListCal Plugin <= 1.3.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.905Z

Reserved: 2025-01-07T10:22:58.148Z

Link: CVE-2025-22535

cve-icon Vulnrichment

Updated: 2025-01-10T20:18:10.944Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:28.047

Modified: 2026-06-17T08:48:04.687

Link: CVE-2025-22535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')