Scanner gratuitement
CRITICALCVE-2025-10586CVSS 9.8

Community Events <= 1.5.1 - Unauthenticated SQL Injection

traduction en cours…

Plateforme

wordpress

Composant

community-events

Corrigé dans

1.5.2

AI Confidence: highNVDEPSS 0.0%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2025-10586 describes a critical SQL Injection vulnerability discovered in the Community Events plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to inject malicious SQL queries and potentially extract sensitive information from the database. The vulnerability impacts versions 1.0.0 through 1.5.1, and a patch is expected to be released shortly.

WordPress

Détecte cette CVE dans ton projet

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitement

Impact et Scénarios d'Attaquetraduction en cours…

The SQL Injection vulnerability in Community Events allows an attacker to manipulate database queries. By injecting malicious SQL code through the 'event_venue' parameter, an attacker can bypass security measures and directly access the WordPress database. This could lead to the exfiltration of sensitive data such as user credentials, customer information, or plugin configuration details. Successful exploitation could also allow an attacker to modify or delete data, potentially disrupting the website's functionality or causing data loss. The impact is particularly severe because the vulnerability requires only Subscriber-level access, significantly broadening the potential attack surface.

Contexte d'Exploitationtraduction en cours…

CVE-2025-10586 was publicly disclosed on 2025-10-09. The vulnerability's ease of exploitation and the potential for significant data compromise suggest a medium probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's simplicity makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.

Qui Est à Risquetraduction en cours…

Websites using the Community Events plugin, particularly those with Subscriber-level users who have access to create or modify events, are at significant risk. Shared hosting environments where multiple websites share the same database are also particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.

Étapes de Détectiontraduction en cours…

• wordpress / plugin: Use wp-cli plugin update to check for updates. • wordpress / plugin: wp plugin list to identify instances of the Community Events plugin. • generic web: Examine WordPress access logs for unusual SQL query patterns in requests to pages utilizing the Community Events plugin. Look for patterns like UNION SELECT or OR 1=1 within the event_venue parameter. • generic web: Use curl to test the plugin endpoint with a simple SQL injection payload: curl 'https://example.com/?page=community-events&event_venue=1' UNION SELECT 1,2,3 -- - and check for unexpected results. • generic web: Search WordPress plugin files for the vulnerable SQL query and any missing escaping functions.

Chronologie de l'Attaque

  1. Disclosure

    Public Disclosure

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

EPSS

0.05% (percentile 14%)

CISA SSVC

Exploitationnone
Automatisableyes
Impact Techniquetotal

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantcommunity-events
Fournisseurjackdewey
Plage affectéeCorrigé dans
0 – 1.5.11.5.2

Informations sur le paquet

Installations actives
20Niche
Note du plugin
3.0
Nécessite WordPress
3.0+
Compatible jusqu'à
6.9.4
Site web

Classification de Faiblesse (CWE)

CWE-89

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour
Sans correctif — 227 jours depuis la divulgation

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2025-10586 is to upgrade the Community Events plugin to a version containing the security fix. Until a patched version is available, consider temporarily disabling the plugin to prevent exploitation. As a short-term workaround, implement a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the 'eventvenue' parameter. Specifically, look for unusual characters or SQL keywords within the parameter value. Monitor WordPress access logs for suspicious SQL query patterns. After upgrade, confirm by attempting a query with a known malicious payload through the 'eventvenue' parameter; it should now be properly sanitized.

Comment corrigertraduction en cours…

Actualice el plugin Community Events a una versión corregida (superior a 1.5.1).  Esta actualización aborda la vulnerabilidad de inyección SQL al escapar correctamente los parámetros de entrada del usuario y preparar las consultas SQL.  Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2025-10586 — SQL Injection in Community Events WordPress Plugin?

CVE-2025-10586 is a critical SQL Injection vulnerability affecting the Community Events plugin for WordPress versions 1.0.0–1.5.1, allowing attackers to extract sensitive data.

Am I affected by CVE-2025-10586 in Community Events WordPress Plugin?

You are affected if you are using the Community Events plugin for WordPress in versions 1.0.0 through 1.5.1. Upgrade immediately.

How do I fix CVE-2025-10586 in Community Events WordPress Plugin?

Upgrade the Community Events plugin to a patched version as soon as it becomes available. Temporarily disable the plugin as a short-term workaround.

Is CVE-2025-10586 being actively exploited?

While no public exploits are currently known, the vulnerability's simplicity suggests a high likelihood of exploitation. Monitor security advisories.

Where can I find the official WordPress advisory for CVE-2025-10586?

Refer to the WordPress security announcements page and the Community Events plugin developer's website for updates and advisories.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE