CVE-2021-25030

Name of the Vulnerable Software and Affected Versions Events Made Easy WordPress plugin versions prior to 2.2.36

Description The issue concerns the Events Made Easy WordPress plugin, which does not properly sanitise and escape the search text parameter before using it in a SQL statement via the "eme searchmail" AJAX action. This action is available to any authenticated users, allowing those with a role as low as subscriber to perform SQL injection attacks.

Recommendations For versions prior to 2.2.36, update to version 2.2.36 or later to resolve the issue. As a temporary workaround, consider restricting access to the "eme searchmail" AJAX action to prevent exploitation. Avoid using the search text parameter in the affected AJAX endpoint until the issue is resolved.