Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable 'code' parameter (AV:N/AC:L/PR:N/UI:N) yields blind data extraction, so C:H with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the Eventer plugin (version ≤ 4.4.2) is installed and its event-'code' handling endpoint is reachable over the network - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms no authentication, no user interaction, and no special privileges are needed against a default plugin installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms genuinely low-friction exploitation: network-reachable, low complexity, no privileges, no user interaction - the hallmark of an internet-facing, automatable WordPress attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a WordPress site running the Eventer plugin and sends a crafted request supplying a time-based SQL payload in the 'code' parameter (e.g., a conditional SLEEP()). By observing response timing across many automated requests, the attacker blindly extracts administrator password hashes and other sensitive rows from the WordPress database. … |
| Remediation | No fixed version is identified in the provided data, so no exact patch release can be cited; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3b0a3a-ce4b-40fd-9519-a81e315cee42) and the CodeCanyon product page for an update beyond 4.4.2 and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations for the Eventer plugin and document current versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writin
The Eventer - WordPress Event & Booking Manager Plugin plugin for WordPress is vulnerable to SQL Injection via the reg_i
The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '
The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees'
The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via th
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42170
GHSA-cq7c-w54c-w89p