Impact
Improper neutralization of special characters in SQL statements within the Liquid Web / StellarWP The Events Calendar plugin allows attackers to perform blind SQL injection. This classic injection flaw (CWE‑89) can be used to read restricted data, modify database content, or compromise the integrity of the WordPress site, all from a remote attacker sending specially crafted HTTP requests. The vulnerability is limited to the plugin code and does not allow arbitrary code execution, but it can still expose sensitive information and alter site data.
Affected Systems
The vulnerability affects The Events Calendar plugin for WordPress versions 6.15.12 through 6.16.2 as distributed by Liquid Web and StellarWP. Any WordPress installation that has one of these releases and has the plugin enabled is at risk, regardless of hosting environment.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity. The EPSS score of less than 1 % suggests that exploitation is currently rare, but the injection variant is blind, requiring timing or side‑channel techniques to extract data. The likely attack vector is a remote attacker sending crafted HTTP requests to the plugin’s exposed endpoints. The vulnerability is not listed in CISA’s KEV catalog. If the plugin is left unpatched, the risk of data exposure or site compromise remains high, especially for publicly accessible sites.
OpenCVE Enrichment