Description
The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a crafted CSV file upload.
Published: 2026-03-07
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The Community Events plugin for WordPress contains a SQL injection flaw in the on_save_changes_venues function that processes the ce_venue_name field from a CSV upload. The input is not escaped or prepared, allowing an attacker with Administrator privileges to insert arbitrary SQL fragments into the query. This can be used to read confidential information from the database, such as event details, user data, or other posts, effectively resulting in unauthorized data disclosure. The vulnerability is a classic instance of CWE-89.

Affected Systems

All installations of the Community Events plugin version 1.5.8 or earlier, used in WordPress sites where the site administrator or a higher‑privilege user can upload CSV files via the venue editing interface. Any WordPress installation running these plugin versions is vulnerable as long as the vulnerable code path is reachable.

Risk and Exploitability

The CVSS score of 4.9 reflects moderate severity, and the EPSS score of less than 1% indicates a very low current exploitation probability. The issue is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. An attacker would need to log into the WordPress admin area, upload a crafted CSV file using the plugin’s venue editing feature, and have their SQL payload execute. Because the attack requires authenticated access and a specific plugin feature, the real‑world risk is limited to compromised or poorly secured sites where an administrator could be tricked or maliciously used.

Generated by OpenCVE AI on April 15, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Community Events plugin to the latest available version that addresses the SQL injection flaw.
  • If an immediate upgrade is not possible, limit the upload of CSV files to highly trusted administrators and apply input validation or prepared statements to the ce_venue_name field before it reaches the database.
  • Deploy a web application firewall or similar security appliance that blocks anomalous SQL syntax in file uploads or blocks the vulnerable endpoint altogether.

Generated by OpenCVE AI on April 15, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress
Vendors & Products Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a crafted CSV file upload.
Title Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Jackdewey Community Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:51.395Z

Reserved: 2026-02-12T21:00:05.955Z

Link: CVE-2026-2429

cve-icon Vulnrichment

Updated: 2026-03-09T19:00:24.957Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T02:16:12.257

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-2429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses