CVE-2025-0959

CVE-2025-0959 is a SQL injection vulnerability in the Eventer - WordPress Event & Booking Manager Plugin for WordPress, affecting all versions up to and including 3.9.9.2. The flaw arises from insufficient escaping of the user-supplied reg_id parameter and lack of sufficient preparation in the existing SQL query, allowing injection of malicious SQL code. It is associated with CWE-564 (SQL Injection: Unprepared Statement) and CWE-89 (SQL Injection), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability by manipulating the reg_id parameter to append additional SQL queries to existing ones. This enables extraction of sensitive information from the database, such as user credentials, event data, or other confidential records stored in the WordPress database.

Mitigation details are available in advisories referenced by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/bd42c89e-57db-458f-910c-404a5615f280?source=cve and the plugin's CodeCanyon page at https://codecanyon.net/item/eventer-wordpress-event-manager-plugin/20972534, published on 2025-03-07. Security practitioners should review these for patch information and update affected installations beyond version 3.9.9.2.