Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network SQLi (AV:N/PR:N) but AC:H because a non-default setting and a published event are required; primarily data extraction so C:H, limited I:L, A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted the "Enable additional search queries" setting is enabled and at least one published event exists.
Articles & Coverage 2
AnalysisAI
Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the EventON plugin's 'Enable additional search queries' setting be enabled (a non-default configuration toggle) AND that at least one published event exist on the site; both conditions are explicitly stated in the advisory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base 9.8) reflects a network-reachable, low-complexity, unauthenticated path with high impact across confidentiality, integrity, and availability - characteristic of an unauthenticated SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a public WordPress site running EventON ≤5.0.11 with additional search queries enabled and at least one published event, then sends a crafted HTTP request supplying a malicious SQL payload in the 'search' parameter. Because the input is concatenated into the query without escaping or preparation, the appended SQL executes and returns database contents - for example dumping wp_users password hashes and secret keys - without any authentication. … |
| Remediation | Upgrade EventON to a version later than 5.0.11 once released by the vendor; the input data does not include a specific fixed version, so no vendor-released patch version is independently confirmed at time of analysis - consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1b5a0c87-59b0-4da4-8949-0957f8e1b479?source=cve) and vendor site (https://www.myeventon.com/) for the patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Disable EventON plugin or immediately disable the 'Enable additional search queries' setting in plugin configuration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40273
GHSA-7pfh-grwq-33x4