SQL Injection vulnerability in WordPress’s “The Events Calendar” Plugin

A serious security vulnerability has been discovered in The Events Calendar plugin, one of the popular WordPress plugins. This vulnerability is of the SQL injection type and has the number CVE-2024-8275. The vulnerability affects all versions of the plugin 6.6.4 and earlier. In this article, we will talk about how the vulnerability works, its consequences, and how to protect against it.

The CVE-2024-8275 vulnerability is caused by the order parameter in the tribe_has_next_event function of the plugin. This parameter can lead to SQL injection, since it will not be able to handle user input securely enough. That is, an attacker will be able to add the necessary SQL queries through this parameter and thereby obtain confidential information from the database. To exploit this vulnerability, an attacker does not need authentication, which means that even an unregistered user on the site can exploit the vulnerability.

Scope and Impact
The impact of this vulnerability is very high and can affect sites in the following ways:

Impact on privacy: an attacker can access the database and read users’ personal information.

Impact on integrity: allows changing existing data in the database or injecting malicious data.

Impact on availability: This can prevent the site from functioning properly when using the resources of the underlying server.

The vulnerability has a very low complexity and can be easily exploited by an attacker with network access.

To protect against this vulnerability, it is recommended to update the Events Calendar plugin to version 6.6.5 or higher. In the new version, the order parameter in the tribe_has_next_event function is protected for security reasons. If your site uses a vulnerable version of this plugin and cannot update, the use of Tribe_has_next_event should be disabled.

CVE-2024-8275 affects many WordPress-based sites. Plugins should be updated regularly to protect against this vulnerability. Developers and site owners should monitor security updates and install them promptly to prevent vulnerabilities.

For more information:
https://cvefeed.io/vuln/detail/CVE-2024-8275
https://cyber.vumetric.com/vulns/CVE-2024-8275/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8275