Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
Published: 2025-05-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the eventer plugin arises from improper sanitization of user input that becomes part of a SQL command. This flaw allows an attacker to inject arbitrary SQL statements, leading to blind SQL injection. An attacker can read, modify, or delete database contents through the plugin, compromising the confidentiality and integrity of the site’s data. The weakness is classified as CWE-89.

Affected Systems

The flaw is present in all releases of the Eventer plugin by imithemes up to, but not including, version 3.11.4. Any WordPress installation hosting a vulnerable instance of this plugin is affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the current environment, and the issue is not listed in CISA’s KEV catalog. The attack vector is inferred to be through user‑controllable inputs within the plugin, potentially accessible to unauthenticated users or those with limited privileges. Proper authentication and input validation are therefore essential defenses. The CWE‑89 identifier signals that the flaw arises from insufficient input validation affecting command execution.

Generated by OpenCVE AI on May 1, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eventer plugin to version 3.11.4 or later
  • If an upgrade is not immediately possible, restrict access to the booking interface by disabling it for unauthenticated users or disabling the plugin on public‑facing pages
  • Deploy a Web Application Firewall or configure input sanitization to block SQL injection patterns targeting the plugin’s endpoints

Generated by OpenCVE AI on May 1, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15490 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection. This issue affects Eventer: from n/a through 3.9.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection.This issue affects Eventer: from n/a before 3.11.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
Title WordPress Eventer - WordPress Event & Booking Manager Plugin plugin < 3.11.4 - SQL Injection vulnerability WordPress Eventer plugin < 3.11.4 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 22 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection. This issue affects Eventer: from n/a through 3.9.6. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection.This issue affects Eventer: from n/a before 3.11.4.
Title WordPress Eventer - WordPress Event & Booking Manager Plugin plugin <= 3.9.6 - SQL Injection vulnerability WordPress Eventer - WordPress Event & Booking Manager Plugin plugin < 3.11.4 - SQL Injection vulnerability

Wed, 21 May 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Imithemes
Imithemes eventer
CPEs cpe:2.3:a:imithemes:eventer:*:*:*:*:*:wordpress:*:*
Vendors & Products Imithemes
Imithemes eventer

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection. This issue affects Eventer: from n/a through 3.9.6.
Title WordPress Eventer - WordPress Event & Booking Manager Plugin plugin <= 3.9.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Imithemes Eventer
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.383Z

Reserved: 2025-04-16T06:23:51.711Z

Link: CVE-2025-39481

cve-icon Vulnrichment

Updated: 2025-05-16T16:19:27.365Z

cve-icon NVD

Status : Modified

Published: 2025-05-16T16:15:40.290

Modified: 2026-04-23T15:29:38.647

Link: CVE-2025-39481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses