Critical SQL Injection Vulnerability Discovered in ‘The Events Calendar’ WordPress Plugin (CVE-2024-8275)
A severe security flaw has been identified in the popular WordPress plugin The Events Calendar, affecting all versions up to and including 6.6.4. Designated as CVE-2024-8275, the vulnerability has been assigned a CVSS score of 9.8, indicating a critical level of severity.
The Events Calendar plugin, boasting over 700,000 active installations, allows users to effortlessly create and manage event calendars on their WordPress sites. The plugin supports both in-person and virtual events, offering a range of professional features backed by a dedicated team of developers and designers.
The newly discovered vulnerability resides in the tribe_has_next_event() function. Specifically, the flaw is due to insufficient input escaping of the 'order' parameter and inadequate preparation of existing SQL queries. This oversight makes it possible for unauthenticated attackers to perform SQL injection attacks by appending additional SQL queries. Exploiting this vulnerability could allow attackers to extract sensitive information from the database, potentially compromising site integrity and user data.
Importantly, only sites that have manually added the tribe_has_next_event() function are vulnerable to this SQL injection flaw. However, given the widespread use of this function among developers customizing their event calendars, the risk remains substantial.
All users of The Events Calendar plugin are strongly advised to update to version 6.6.4.1 or a newer patched version immediately. The developers have addressed the vulnerability in this latest release, ensuring enhanced security measures are in place.
