A high-severity SQL Injection vulnerability has been identified in the Community Events plugin for WordPress. This flaw allows an unauthenticated attacker to manipulate the website's database by sending a specially crafted request. Successful exploitation could lead to the theft of sensitive data, unauthorized modification of website content, or a complete compromise of the affected site.

The vulnerability is a SQL Injection flaw that exists due to insufficient input sanitization of the dayofyear parameter. An attacker can inject malicious SQL commands into this parameter within an HTTP request sent to the website. The web application improperly incorporates this malicious input into a database query, causing the backend database to execute the attacker's commands, which could allow for data exfiltration, modification, or deletion.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation of this flaw could have significant negative consequences for the business, including:

• Data Breach: Unauthorized access to and exfiltration of sensitive information, such as user credentials, personal identifiable information (PII), and customer data.
• Reputational Damage: Website defacement, loss of customer trust, and negative publicity resulting from a security incident.
• Operational Disruption: Corruption or deletion of database records could render the website or its features unusable, impacting business operations.
• Compliance Risk: A data breach could result in regulatory fines and penalties under data protection laws like GDPR or CCPA.

Immediate Action:

• Identify all WordPress instances running the "Community Events" plugin.
• Update the plugin to the latest available version immediately, as recommended by the vendor.
• If the plugin is not critical to business operations, consider disabling and removing it to eliminate the attack surface entirely.

Proactive Monitoring:

• Review web server and Web Application Firewall (WAF) logs for requests containing the dayofyear parameter with suspicious SQL syntax (e.g., UNION, SELECT, --, ' OR '1'='1').
• Monitor database logs for unusual or malformed queries originating from the web application.
• Look for signs of compromise, such as the creation of new administrative accounts, unauthorized content changes, or unexpected website behavior.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict SQL injection detection and prevention rules.
• Ensure the WordPress database user is configured with the principle of least privilege, limiting the scope of potential damage if an injection is successful.
• Restrict access to the functionality that utilizes the vulnerable parameter, if possible.

Public Exploit Available: False

Given the High severity (CVSS 7.5) of this vulnerability, we recommend immediate action. All organizations using the WordPress Community Events plugin must prioritize patching to prevent potential data breaches and website compromise. Although this CVE is not currently on the CISA KEV list, its straightforward exploitability makes it an attractive target for automated attacks and opportunistic threat actors. The primary course of action should be to apply the vendor-supplied update; if this is not possible, the plugin should be disabled until a patch can be deployed.