PT-2026-23814 · WordPress · Wordpress Community Events
Huy Tran
·
Published
2026-03-07
·
Updated
2026-03-07
·
CVE-2026-2429
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WordPress Community Events plugin versions through 1.5.8
Description
The WordPress Community Events plugin is susceptible to SQL Injection through the
ce venue name field within CSV files. This occurs due to inadequate escaping of user-provided CSV data and insufficient preparation of existing SQL queries in the on save changes venues function. An authenticated attacker with Administrator-level access or higher can inject additional SQL queries by uploading a specially crafted CSV file, potentially extracting sensitive information from the database.Recommendations
Update the WordPress Community Events plugin to a version newer than 1.5.8.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress Community Events