CRITICALCVE-2025-10587CVSS 9.8

CVE-2025-10587: SQL Injection in Community Events WordPress Plugin

Platform

wordpress

Component

community-events

Fixed in

1.5.2

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-10587 describes a critical SQL Injection vulnerability discovered in the Community Events plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to inject malicious SQL queries and potentially extract sensitive information from the database. The vulnerability affects versions 1.0.0 through 1.5.1, and a patch is expected to be released shortly.

Impact and Attack Scenarios

The SQL Injection vulnerability in Community Events allows an attacker to manipulate database queries. By injecting malicious SQL code through the event_category parameter, an attacker can bypass intended query logic and execute arbitrary SQL commands. This could lead to the extraction of sensitive data such as user credentials, plugin configuration details, or other stored information. Successful exploitation could also allow for modification or deletion of database records, leading to data corruption or denial of service. While requiring authentication (Subscriber level or higher), the relatively low privilege requirement expands the potential attack surface.

Exploitation Context

CVE-2025-10587 was publicly disclosed on 2025-10-08. The vulnerability's critical severity and ease of exploitation (requiring only authenticated Subscriber access) suggest a potential for rapid exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the SQL Injection nature of the vulnerability makes it likely that POCs will emerge shortly. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.05% (14% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Componentcommunity-events

Vendorjackdewey

Affected rangeFixed in

0 – 1.5.11.5.2

Weakness Classification (CWE)

CWE-89

Timeline

Reserved2025-09-16
Published2025-10-08
Modified2026-04-08
EPSS updated2026-03-23

Unpatched — 228 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-10587 is to upgrade the Community Events plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent potential exploitation. As a temporary workaround, implement strict input validation and sanitization on the event_category parameter within the plugin's code, although this is not a substitute for a proper patch. Monitor WordPress access logs for unusual SQL query patterns that might indicate an attempted exploit. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can also provide a layer of protection.

How to fix

Actualice el plugin Community Events a una versión corregida (superior a 1.5.1) para mitigar la vulnerabilidad de inyección SQL. Asegúrese de realizar una copia de seguridad completa del sitio web antes de actualizar.  Verifique que todas las consultas a la base de datos estén correctamente escapadas y preparadas para prevenir futuras inyecciones SQL.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-10587 — SQL Injection in Community Events WordPress Plugin?

CVE-2025-10587 is a critical SQL Injection vulnerability affecting the Community Events WordPress plugin, allowing attackers to extract sensitive data through the event_category parameter.

Am I affected by CVE-2025-10587 in Community Events WordPress Plugin?

You are affected if your WordPress site uses the Community Events plugin in versions 1.0.0 through 1.5.1.

How do I fix CVE-2025-10587 in Community Events WordPress Plugin?

Upgrade the Community Events plugin to a patched version as soon as it is available. Temporarily disable the plugin until a patch is released.

Is CVE-2025-10587 being actively exploited?

While no public exploits are currently known, the vulnerability's critical severity suggests a high likelihood of exploitation.

Where can I find the official Community Events advisory for CVE-2025-10587?

Check the Community Events plugin's official website or WordPress plugin repository for updates and security advisories.

NextGuard

Vulnerabilities

Package Information

Active installs: 20Niche
Plugin rating

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

3.0

Requires WordPress

3.0+

Compatible up to

6.9.4

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.