Description
The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection leading to data leakage
Action: Patch urgently
AI Analysis

Impact

The vulnerability arises from the lack of escaping and preparation of the user‑supplied 's' parameter in the Events Calendar plugin, enabling a time‑based SQL injection. An attacker can append arbitrary SQL clauses to existing queries and retrieve sensitive data from the database, compromising confidentiality. The flaw does not allow remote code execution but does permit unauthorized disclosure of database contents.

Affected Systems

The affected product is the WordPress plugin "The Events Calendar" developed by stellarwp. All bundled releases with version numbers up to and including 6.15.1 are vulnerable; later releases are presumed fixed based on the version boundary provided by the CNA.

Risk and Exploitability

The CVSS score of 7.5 marks the flaw as high severity, yet the EPSS score of less than 1 % indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV, implying no known large‑scale exploitation campaigns. The likely attack vector is any HTTP request containing the 's' parameter, which does not require authentication. Without remediation, attackers could exfiltrate confidential database information.

Generated by OpenCVE AI on April 21, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Events Calendar plugin to the newest version (6.15.2 or later) which is presumed to contain the necessary escaping changes.
  • Deploy or configure a Web Application Firewall rule to block or sanitize requests that try to inject SQL via the 's' parameter, mitigating the injection before it reaches the database.
  • If an immediate upgrade is not feasible, disable or remove the plugin from the affected WordPress sites until a patch can be applied.
  • Continuously monitor database logs and web traffic for suspicious query patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on April 21, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29002 The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 12 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Theeventscalendar
Theeventscalendar the Events Calendar
Wordpress
Wordpress wordpress
Vendors & Products Theeventscalendar
Theeventscalendar the Events Calendar
Wordpress
Wordpress wordpress

Fri, 12 Sep 2025 02:00:00 +0000

Type Values Removed Values Added
Description The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title The Events Calendar <= 6.15.1 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Theeventscalendar The Events Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:25.893Z

Reserved: 2025-09-01T15:12:12.036Z

Link: CVE-2025-9807

cve-icon Vulnrichment

Updated: 2025-09-12T14:35:30.635Z

cve-icon NVD

Status : Deferred

Published: 2025-09-12T02:15:47.070

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses