Overview
A critical SQL injection vulnerability tracked as CVE-2026-9711 has been disclosed in the EventON – WordPress Virtual Event Calendar Plugin, a widely used WordPress plugin for managing virtual and in-person events. The flaw carries a CVSS score of 9.8 (Critical) and affects all plugin versions up to and including 5.0.11.
The vulnerability enables unauthenticated attackers to inject malicious SQL payloads via the search parameter, potentially gaining full read and write access to the underlying database.
Vulnerability Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-9711 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | EventON ≤ 5.0.11 |
| Vulnerability Type | SQL Injection (CWE-89) |
| Authentication Required | None (unauthenticated) |
| User Interaction | None |
| Vector | Network |
Technical Analysis
The vulnerability exists due to insufficient escaping of user-supplied input on the search parameter combined with a lack of prepared statements in the affected SQL query. Because no authentication is required to trigger this endpoint, any unauthenticated remote attacker can craft a malicious request to exfiltrate database contents.
In practice, exploitation could allow an attacker to:
- Dump the WordPress database including usernames, password hashes, posts, and plugin settings
- Extract stored secrets such as API keys and authentication tokens stored in the options table
- Potentially escalate to code execution by writing malicious PHP into the database for eval-based execution paths
The search parameter is likely exposed through a public-facing AJAX endpoint, making exploitation trivial without any access controls.
Affected Software
- Plugin: EventON – WordPress Virtual Event Calendar Plugin
- Affected Versions: All versions up to and including 5.0.11
- Platform: WordPress (all versions hosting the affected plugin)
EventON is a popular event management plugin with a significant install base across event-driven WordPress sites, including conferences, virtual events, and booking platforms.
Remediation
WordPress site administrators running EventON should take the following steps immediately:
- Update to the latest patched version of EventON through the WordPress plugin dashboard
- Audit database logs for unexpected query patterns or data access since the vulnerability was introduced
- Review WordPress user accounts for unauthorized admin additions
- Enable a web application firewall (WAF) such as Wordfence, Cloudflare WAF, or similar to block SQLi patterns
If an immediate update is not possible, consider temporarily deactivating the plugin until patching can be performed during a maintenance window.
Workarounds
There are no known workarounds that fully mitigate this vulnerability without applying the vendor patch. Blocking access to the vulnerable AJAX endpoint at the WAF or server level may reduce exposure but is not a reliable long-term mitigation.