CVE Alert: CVE-2025-12197 – stellarwp – The Events Calendar
CVE-2025-12197
The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the ‘s’ parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Summary Analysis
**Risk verdict**: High risk due to unauthenticated remote SQL injection with potential data disclosure; remediation should be pursued promptly.
**Why this matters**: The flaw allows extraction of sensitive database information without user interaction, elevating risk for customer data and regulatory compliance. If exploited, attacker access could scale across affected WordPress sites using the plugin, damaging trust and exposing credentials or personal data.
**Most likely attack path**: An attacker remotely targets the vulnerable The Events Calendar on a public WordPress site, sending crafted requests to the s parameter. No authentication or user interaction is required, and low complexity makes automated scanning feasible; resultant queries can read data from the database, subject to the plugin’s query scope.
**Who is most exposed**: Public-facing WordPress deployments with The Events Calendar versions 6.15.1.1–6.15.9 installed. Sites in hosted environments or with minimal WAF protections are particularly at risk, including event-focused sites, venues, and organisations relying on WordPress for scheduling.
**Detection ideas**:
- Alerts for unusual requests to the s parameter in the events calendar endpoints.
- DB query logs showing SELECT-like queries with injected fragments or unusual JOINs.
- Web server logs with long-running or abnormal payloads targeting the vulnerable route.
- WAF alerts for SQL injection patterns in unauthenticated traffic.
- Sudden spikes in data egress from the database.
**Mitigation and prioritisation**:
- Patch to the latest supported version (6.15.9 or newer); verify integrity in staging before production.
- If patching is delayed, apply a WAF rule to block SQLi in the s parameter and restrict access to the plugin’s endpoints.
- Disable or remove the plugin if not essential; otherwise apply least-privilege DB credentials and monitor for exfiltration.
- Perform a data exposure assessment and strengthen backups; ensure WordPress and database backups are current.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1; otherwise prioritise based on exposure and patch readiness.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
