CVE-2025-69135
Deferred Deferred - Pending Action
Subscriber SQL Injection in WordPress Events Calendar Plugin

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-69135
EUVD
EUVD-2025-210229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
events_schedule wordpress_events_calendar_plugin to 2.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69135 is a high-priority SQL Injection vulnerability found in the WordPress plugin "Events Schedule - WordPress Events Calendar Plugin" version 2.7.2 or lower.

This vulnerability allows attackers to interact directly with the website's database by injecting malicious SQL code, potentially leading to unauthorized access or data theft.

Impact Analysis

This vulnerability poses a high risk with a CVSS score of 8.5 and could allow attackers to steal sensitive information from your website's database.

It is expected to be targeted in mass-exploit campaigns, potentially affecting thousands of websites regardless of their size or popularity.

Until an official patch is released, attackers could exploit this vulnerability to compromise your website's data integrity and confidentiality.

Immediate mitigation actions include updating the plugin or applying available mitigation rules provided by security services like Patchstack.

Mitigation Strategies

The vulnerability affects the WordPress plugin "Events Schedule - WordPress Events Calendar Plugin" version 2.7.2 or lower and allows high-risk SQL Injection attacks.

Immediate mitigation steps include:

  • Updating the plugin to a version higher than 2.7.2 once an official patch is released.
  • Applying the mitigation rule issued by Patchstack to block attacks until an official fix is available.
  • Seeking assistance from your hosting provider or a developer to implement temporary protections.
Compliance Impact

The SQL Injection vulnerability in the WordPress Events Calendar Plugin could allow attackers to access and steal sensitive information from the website's database.

Such unauthorized access to sensitive data may lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart