Impact
A classic SQL Injection flaw lets an attacker inject arbitrary SQL code into queries that the Events Schedule – WordPress Events Calendar Plugin builds and sends to the database. Because the plugin fails to properly sanitize or bind user‑supplied data, the attacker can read, modify or delete data stored in the WordPress database. In a worst‑case scenario the flaw could allow extraction of admin credentials or other sensitive information, effectively compromising the entire site’s data integrity and confidentiality.
Affected Systems
The vulnerability afflicts the CurlyThemes Events Schedule – WordPress Events Calendar Plugin versions 2.7.2 and earlier. Users running these WordPress plugin releases are at risk; any site that has not upgraded beyond 2.7.2 should be considered vulnerable.
Risk and Exploitability
The CVSS score of 8.5 indicates a high‑severity exposure. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the likelihood of active exploitation is currently unknown, though the lack of mitigation could attract attackers. The most probable attack vector is a web‑accessible endpoint that accepts user input without proper validation; a successful exploitation would require only an authenticated or unauthenticated user with network access to the WordPress site, making the risk tangible for exposed installations.
OpenCVE Enrichment