A high-severity SQL Injection vulnerability in the Events Manager WordPress plugin allows an unauthenticated attacker to exfiltrate sensitive database information.

This vulnerability allows an unauthenticated attacker to execute time-based SQL injection attacks. The flaw exists due to insufficient sanitization of user-supplied input to the 'orderby' parameter, enabling the attacker to manipulate database queries and infer database content.

A successful exploit could allow an attacker to exfiltrate sensitive information from the underlying WordPress database, including user credentials, personal data, and other confidential site content. With a CVSS score of 7.5 (High), this vulnerability poses a significant risk to data confidentiality and integrity, potentially leading to reputational damage and regulatory penalties.

Immediate Action: Immediately update the Events Manager plugin to the latest patched version provided by the vendor. If the plugin is no longer required, it should be deactivated and removed entirely.

Proactive Monitoring: Monitor web server and database logs for unusually long query execution times or suspicious SQL syntax targeting the affected plugin's functionality, particularly involving the 'orderby' parameter.

Compensating Controls: Implement and configure a Web Application Firewall (WAF) with rules designed to detect and block common SQL injection patterns as a virtual patch pending the update.

Public Exploit Available: false

Given the high severity of this vulnerability and the potential for complete database compromise by an unauthenticated attacker, immediate action is required. We strongly recommend prioritizing the application of the vendor-supplied update to the Events Manager plugin to prevent potential data breaches and unauthorized access.