The WordPress WP Google Calendar Manager plugin contains an SQL injection flaw that allows attackers to execute arbitrary SQL queries against the plugin’s database. The vulnerability stems from improper neutralization of special characters in user input, leading to a CWE‑89 weakness. If exploited, the attacker can retrieve sensitive data, modify or delete content, and potentially compromise the entire WordPress site’s data confidentiality and integrity.

EuroCizia’s WP Google Calendar Manager is vulnerable in all releases up to and including version 2.1. The issue applies to any WordPress installation that has an affected version of this plugin installed; no specific operating system or PHP version was identified.

The CVSS score of 8.5 indicates a high‑severity risk, yet the EPSS score of less than 1% suggests a low probability of exploitation at the moment. The vulnerability is not listed in CISA’s KEV catalogue, indicating no known public exploits. Likely exploitation requires the attacker to send crafted HTTP requests to the plugin’s endpoints, possibly from a web client that can view the plugin’s admin interface. Because this is a blind injection, the attacker needs to observe changes in response timing or database effects to confirm success.