Summary: A critical security vulnerability (CVE-2024-8275) has been discovered in the widely-used WordPress plugin The Events Calendar, affecting all versions up to 6.6.4, with a CVSS score of 9.8. This flaw allows unauthenticated attackers to perform SQL injection attacks, potentially compromising sensitive data and site integrity.
Threat Actor: Unauthenticated attackers | unauthenticated attackers
Victim: Users of The Events Calendar plugin | The Events Calendar plugin
Key Point :
- The vulnerability is located in the tribe_has_next_event() function due to insufficient input escaping and SQL query preparation.
- Exploitation could lead to unauthorized access to sensitive database information.
- Only sites that have manually implemented the tribe_has_next_event() function are at risk, but the widespread use increases the threat level.
- Users are urged to update to version 6.6.4.1 or newer to mitigate the risk.
A severe security flaw has been identified in the popular WordPress plugin The Events Calendar, affecting all versions up to and including 6.6.4. Designated as CVE-2024-8275, the vulnerability has been assigned a CVSS score of 9.8, indicating a critical level of severity.
The Events Calendar plugin, boasting over 700,000 active installations, allows users to effortlessly create and manage event calendars on their WordPress sites. The plugin supports both in-person and virtual events, offering a range of professional features backed by a dedicated team of developers and designers.
The newly discovered vulnerability resides in the tribe_has_next_event() function. Specifically, the flaw is due to insufficient input escaping of the 'order' parameter and inadequate preparation of existing SQL queries. This oversight makes it possible for unauthenticated attackers to perform SQL injection attacks by appending additional SQL queries. Exploiting this vulnerability could allow attackers to extract sensitive information from the database, potentially compromising site integrity and user data.
Importantly, only sites that have manually added the tribe_has_next_event() function are vulnerable to this SQL injection flaw. However, given the widespread use of this function among developers customizing their event calendars, the risk remains substantial.
All users of The Events Calendar plugin are strongly advised to update to version 6.6.4.1 or a newer patched version immediately. The developers have addressed the vulnerability in this latest release, ensuring enhanced security measures are in place.