CVE-2025-0959

High CVSS: 8.8

The Eventer - WordPress Event & Booking Manager Plugin plugin for WordPress is vulnerable to SQL Injection via the reg_id parameter in all versions up to, and including, 3.9.9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Vendor

Imithemes

Product

Eventer

CWE

CWE-564

Yayın Tarihi

2025-03-07 09:15:16

Güncelleme

2025-03-13 14:59:44

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-564 Eventer HIGH Imithemes 2025

Referanslar

https://codecanyon.net/item/eventer-wordpress-event-manager-plugin/20972534 https://www.wordfence.com/threat-intel/vulnerabilities/id/bd42c89e-57db-458f-910c-404a5615f280?source=cve

Benzer Kayıtlar

Critical

CVE-2025-39481

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer…

High

CVE-2025-39482

Missing Authorization vulnerability in imithemes Eventer eventer allows Exploiting Incorrectly Configured Access Control…

Medium

CVE-2025-22635

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imithemes Eventer…

Medium

CVE-2024-11132

The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and incl…

Medium

CVE-2024-11133

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '…

Medium

CVE-2024-11134

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '…