CVE-2026-9711
EventON · EventON (Pro) - WordPress Virtual Event Calendar Plugin
The EventON WordPress plugin is vulnerable to unauthenticated SQL injection via the search parameter due to insufficient input escaping and lack of parameterized queries.
Executive summary
A critical SQL injection vulnerability in the EventON plugin allows unauthenticated attackers to extract sensitive database information, posing a severe risk to data confidentiality.
Vulnerability
The vulnerability exists due to improper handling of the WordPress 'search' parameter. Unauthenticated attackers can inject malicious SQL commands into existing queries if the "Enable additional search queries" setting is active, allowing for unauthorized data extraction.
Business impact
With a CVSS score of 9.8, this vulnerability represents an extreme risk of data breach. Successful exploitation allows unauthorized access to the underlying database, potentially exposing sensitive customer data, administrative credentials, or proprietary information, leading to severe regulatory and financial consequences.
Remediation
Immediate Action: Update the EventON plugin to the latest version immediately to resolve the SQL injection flaw.
Proactive Monitoring: Monitor database query logs for anomalous patterns or injection-style characters (e.g., ', --, UNION) associated with the search function.
Compensating Controls: Utilize a Web Application Firewall (WAF) with SQL injection protection rules to inspect and filter malicious search queries before they reach the application.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is highly critical and requires immediate attention to prevent unauthorized access to sensitive database contents. Organizations utilizing EventON must apply the latest vendor update as soon as possible to mitigate the risk of data exfiltration.