CVE-2026-2429

Name of the Vulnerable Software and Affected Versions WordPress Community Events plugin versions through 1.5.8

Description The WordPress Community Events plugin is susceptible to SQL Injection through the ce venue name field within CSV files. This occurs due to inadequate escaping of user-provided CSV data and insufficient preparation of existing SQL queries in the on save changes venues function. An authenticated attacker with Administrator-level access or higher can inject additional SQL queries by uploading a specially crafted CSV file, potentially extracting sensitive information from the database.

Recommendations Update the WordPress Community Events plugin to a version newer than 1.5.8.