Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable Subscriber-authenticated SQLi (PR:L) with scope change reading database beyond plugin; low integrity included since SQLi typically permits some write/UPDATE primitives.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions.
AnalysisAI
SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.
Technical ContextAI
The vulnerable component is a WordPress plugin (CurlyThemes' Events Schedule - Events Calendar) that exposes a database-backed query path reachable by low-privilege authenticated users. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into a SQL statement without parameterization or proper escaping via $wpdb->prepare(). WordPress Subscriber accounts are typically created via open registration, so the privilege barrier is often low in real deployments. The CPE 'cpe:2.3:a:curlythemes:events_schedule_-_wordpress_events_calendar_plugin:*' covers all versions up to and including 2.7.2.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade to the latest plugin release published after 2.7.2 as listed at https://patchstack.com/database/wordpress/plugin/weekly-class/vulnerability/wordpress-events-schedule-wordpress-events-calendar-plugin-plugin-2-7-2-sql-injection-vulnerability and verify the version in wp-admin. If an immediate upgrade is not feasible, disable or uninstall the plugin (the safest option, but it removes event-calendar functionality), or disable open WordPress user registration via Settings → General to eliminate the Subscriber attack path (side effect: blocks legitimate self-service signups). As a stopgap, deploy a WAF rule (Patchstack, Wordfence, or equivalent) targeting SQLi patterns against the plugin's AJAX/REST endpoints, accepting that signature-based rules can be bypassed by skilled attackers.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210229