Skip to main content

Eventer EUVDEUVD-2026-42170

| CVE-2026-9700 HIGH
SQL Injection (CWE-89)
2026-07-08 Wordfence GHSA-cq7c-w54c-w89p
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable 'code' parameter (AV:N/AC:L/PR:N/UI:N) yields blind data extraction, so C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:21 vuln.today
CVE Published
Jul 08, 2026 - 05:34 nvd
HIGH 7.5

DescriptionCVE.org

The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Eventer plugin
Delivery
Send crafted 'code' parameter with time-based payload
Exploit
Trigger blind SQL injection in unprepared query
Execution
Infer data via response timing
Impact
Extract credentials from WordPress database

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Eventer plugin (version ≤ 4.4.2) is installed and its event-'code' handling endpoint is reachable over the network - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms no authentication, no user interaction, and no special privileges are needed against a default plugin installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms genuinely low-friction exploitation: network-reachable, low complexity, no privileges, no user interaction - the hallmark of an internet-facing, automatable WordPress attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a WordPress site running the Eventer plugin and sends a crafted request supplying a time-based SQL payload in the 'code' parameter (e.g., a conditional SLEEP()). By observing response timing across many automated requests, the attacker blindly extracts administrator password hashes and other sensitive rows from the WordPress database. …
Remediation No fixed version is identified in the provided data, so no exact patch release can be cited; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3b0a3a-ce4b-40fd-9519-a81e315cee42) and the CodeCanyon product page for an update beyond 4.4.2 and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations for the Eventer plugin and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy