Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)
CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-9711

CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

Dylan H.

Security Team

July 1, 2026
3 min read

Affected Products

  • EventON - WordPress Virtual Event Calendar Plugin versions up to and including 5.0.11

Overview

A critical SQL injection vulnerability tracked as CVE-2026-9711 has been disclosed in the EventON – WordPress Virtual Event Calendar Plugin, a widely used WordPress plugin for managing virtual and in-person events. The flaw carries a CVSS score of 9.8 (Critical) and affects all plugin versions up to and including 5.0.11.

The vulnerability enables unauthenticated attackers to inject malicious SQL payloads via the search parameter, potentially gaining full read and write access to the underlying database.

Vulnerability Details

FieldDetails
CVE IDCVE-2026-9711
CVSS Score9.8 (Critical)
Affected VersionsEventON ≤ 5.0.11
Vulnerability TypeSQL Injection (CWE-89)
Authentication RequiredNone (unauthenticated)
User InteractionNone
VectorNetwork

Technical Analysis

The vulnerability exists due to insufficient escaping of user-supplied input on the search parameter combined with a lack of prepared statements in the affected SQL query. Because no authentication is required to trigger this endpoint, any unauthenticated remote attacker can craft a malicious request to exfiltrate database contents.

In practice, exploitation could allow an attacker to:

  • Dump the WordPress database including usernames, password hashes, posts, and plugin settings
  • Extract stored secrets such as API keys and authentication tokens stored in the options table
  • Potentially escalate to code execution by writing malicious PHP into the database for eval-based execution paths

The search parameter is likely exposed through a public-facing AJAX endpoint, making exploitation trivial without any access controls.

Affected Software

  • Plugin: EventON – WordPress Virtual Event Calendar Plugin
  • Affected Versions: All versions up to and including 5.0.11
  • Platform: WordPress (all versions hosting the affected plugin)

EventON is a popular event management plugin with a significant install base across event-driven WordPress sites, including conferences, virtual events, and booking platforms.

Remediation

WordPress site administrators running EventON should take the following steps immediately:

  1. Update to the latest patched version of EventON through the WordPress plugin dashboard
  2. Audit database logs for unexpected query patterns or data access since the vulnerability was introduced
  3. Review WordPress user accounts for unauthorized admin additions
  4. Enable a web application firewall (WAF) such as Wordfence, Cloudflare WAF, or similar to block SQLi patterns

If an immediate update is not possible, consider temporarily deactivating the plugin until patching can be performed during a maintenance window.

Workarounds

There are no known workarounds that fully mitigate this vulnerability without applying the vendor patch. Blocking access to the vulnerable AJAX endpoint at the WAF or server level may reduce exposure but is not a reliable long-term mitigation.

References

  • NVD Entry: CVE-2026-9711
  • EventON Plugin on WordPress.org
  • OWASP SQL Injection Prevention Cheat Sheet
#CVE#SQL Injection#WordPress#Plugin Vulnerability#NVD#Critical

Related Articles

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-54820: Critical SQL Injection in JetBooking WordPress Plugin

A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the JetBooking WordPress plugin affects all versions up to 4.0.4.1, potentially...

4 min read

CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

6 min read
Back to all Security Alerts