Skip to main content

EventON CVE-2026-9711

| EUVDEUVD-2026-40273 CRITICAL
SQL Injection (CWE-89)
2026-06-30 Wordfence GHSA-7pfh-grwq-33x4
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Unauthenticated network SQLi (AV:N/PR:N) but AC:H because a non-default setting and a published event are required; primarily data extraction so C:H, limited I:L, A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 10:20 vuln.today
CVE Published
Jun 30, 2026 - 09:31 cve.org
CRITICAL 9.8

DescriptionCVE.org

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted the "Enable additional search queries" setting is enabled and at least one published event exists.

AnalysisAI

Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running EventON ≤5.0.11
Delivery
Confirm search feature and published event
Exploit
Send crafted SQL in 'search' parameter
Execution
Injected query executes on backend
Impact
Extract user hashes and secrets from database

Vulnerability AssessmentAI

Exploitation Exploitation requires that the EventON plugin's 'Enable additional search queries' setting be enabled (a non-default configuration toggle) AND that at least one published event exist on the site; both conditions are explicitly stated in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base 9.8) reflects a network-reachable, low-complexity, unauthenticated path with high impact across confidentiality, integrity, and availability - characteristic of an unauthenticated SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a public WordPress site running EventON ≤5.0.11 with additional search queries enabled and at least one published event, then sends a crafted HTTP request supplying a malicious SQL payload in the 'search' parameter. Because the input is concatenated into the query without escaping or preparation, the appended SQL executes and returns database contents - for example dumping wp_users password hashes and secret keys - without any authentication. …
Remediation Upgrade EventON to a version later than 5.0.11 once released by the vendor; the input data does not include a specific fixed version, so no vendor-released patch version is independently confirmed at time of analysis - consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1b5a0c87-59b0-4da4-8949-0957f8e1b479?source=cve) and vendor site (https://www.myeventon.com/) for the patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Disable EventON plugin or immediately disable the 'Enable additional search queries' setting in plugin configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy