CVE-2024-8275

Name of the Vulnerable Software and Affected Versions: The Events Calendar plugin for WordPress versions up to and including 6.6.4

Description: The issue is related to a SQL injection vulnerability in the tribe has next event function of the plugin. This vulnerability allows an unauthenticated attacker to extract sensitive information from the website's database by appending additional SQL queries to existing ones. The vulnerability is due to insufficient escaping on the user-supplied order parameter and lack of sufficient preparation on the existing SQL query. It is estimated that over 700,000 sites are potentially affected.

Recommendations: For versions up to and including 6.6.4, update to version 6.6.4.1 or above to resolve the issue. As a temporary workaround, consider disabling the tribe has next event() function until a patch is available. Restrict access to the vulnerable order parameter in the tribe has next event function to minimize the risk of exploitation.