An authenticated SQL injection vulnerability in the Events Schedule plugin exposes the WordPress database to unauthorized queries by subscriber-level users.

The plugin fails to perform adequate input validation on database queries. This allows an authenticated "Subscriber" to manipulate SQL statements, leading to unauthorized data exposure or potential modification of the WordPress database.

The CVSS score of 8.5 underscores the high risk of data breach associated with this flaw. Attackers can leverage this to dump user tables, including administrator credentials, or modify site content, resulting in significant reputational and operational damage.

Immediate Action: Update the Events Schedule plugin to the latest version.

Proactive Monitoring: Monitor database query logs for unusual or highly complex SQL syntax originating from non-administrative user accounts.

Compensating Controls: Use a WAF to filter out common SQL injection payloads and ensure the database user account has the principle of least privilege applied.

Public Exploit Available: false

SQL injection remains a primary vector for data theft. Given the potential for total database compromise, administrators must prioritize updating this plugin. If updates are not currently available, restricting access to the plugin's features is recommended.