CVE-2026-9711 - Vulnerability Details

- EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter

Description

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted the "Enable additional search queries" setting is enabled and at least one published event exists.

Published: 2026-06-30

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the unescaped WordPress 'search' parameter of the EventON virtual event calendar plugin. An attacker can inject additional SQL statements when this parameter is processed, enabling extraction of sensitive data from the WordPress database. The weakness is classified as a code injection flaw (CWE‑89) and, due to the lack of query preparation, it can be exploited without authentication. If the "Enable additional search queries" option is active and at least one event is published, the attacker can download all rows from the target tables, potentially revealing usernames, passwords, and other confidential data.

Affected Systems

All installations of the EventON virtual event calendar plugin for WordPress that use version 5.0.11 or earlier. The affected product is EventON (Pro), the fully featured WordPress plugin, where the flaw exists in the code handling the search feature.

Risk and Exploitability

This flaw carries a CVSS score of 9.8, indicating critical severity. The EPSS score is not available, suggesting no publicly reported exploitation data, and it is not listed in the CISA KEV catalog. The likely attack path involves a malicious user visiting a site that uses the affected plugin and submitting a crafted search query to the plugin’s endpoint. Because authentication is not required, the risk of exploitation is high once the plugin is deployed on a live site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

EventON

EventON (Pro) - WordPress Virtual Event Calendar Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.0.11

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the EventON plugin to a version newer than 5.0.11, which removes the vulnerable code
If upgrading immediately is not possible, disable the "Enable additional search queries" setting to eliminate the code path that allows injection
Implement input validation on the search parameter to allow only alphanumeric characters and limit its length, and deploy a web application firewall rule to block suspicious queries

Generated by OpenCVE AI on June 30, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00438.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.myeventon.com/
https://www.wordfence.com/threat-intel/vulnerabilities/id/1b5a0c87-59b0-4da4-8949-0957f8e1b479?source=cve

History

Tue, 30 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 30 Jun 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted the "Enable additional search queries" setting is enabled and at least one published event exists.
Title		EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter
Weaknesses		CWE-89
References		https://www.myeventon.com/ https://www.wordfence.com/threat-intel/vulnerabilities/id/1b5a0c87-59b0-4da4-8949-0957f8e1b479?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-30T09:31:47.964Z

Updated: 2026-06-30T12:33:48.495Z

Reserved: 2026-05-27T14:04:49.057Z

Link: CVE-2026-9711

Vulnrichment

Updated: 2026-06-30T12:33:43.108Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T11:30:04Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object