{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10586", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-16T21:29:38.515Z", "datePublished": "2025-10-09T01:48:48.789Z", "dateUpdated": "2026-04-08T17:09:34.015Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:34.015Z"}, "affected": [{"vendor": "jackdewey", "product": "Community Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to SQL Injection via the \u2018event_venue\u2019 parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "Community Events <= 1.5.1 - Unauthenticated SQL Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92f3b923-884e-4f61-9bf8-62dfb267a27e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php?rev=3115223"}, {"url": "https://wordpress.org/plugins/community-events/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369351%40community-events%2Ftrunk&old=3115222%40community-events%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "timeline": [{"time": "2025-09-28T17:22:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-08T13:32:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-09T17:50:12.225982Z", "id": "CVE-2025-10586", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T17:55:41.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10586", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-09T17:50:12.225982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T17:55:36.596Z"}}], "cna": {"title": "Community Events <= 1.5.1 - Unauthenticated SQL Injection", "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "jackdewey", "product": "Community Events", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-28T17:22:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-08T13:32:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92f3b923-884e-4f61-9bf8-62dfb267a27e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php?rev=3115223"}, {"url": "https://wordpress.org/plugins/community-events/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369351%40community-events%2Ftrunk&old=3115222%40community-events%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to SQL Injection via the \u2018event_venue\u2019 parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:34.015Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10586", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:34.015Z", "dateReserved": "2025-09-16T21:29:38.515Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-09T01:48:48.789Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to SQL Injection via the \u2018event_venue\u2019 parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2025-10586", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-09T02:15:40.993", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php?rev=3115223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369351%40community-events%2Ftrunk&old=3115222%40community-events%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/community-events/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92f3b923-884e-4f61-9bf8-62dfb267a27e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:12:33.828784+00:00", "value": {"mitigation_remediation": ["Upgrade the Community Events plugin to the latest available version which removes the unescaped event_venue parameter, ensuring that future releases employ prepared statements or proper escaping.", "If an upgrade is not possible, temporarily disable the Community Events plugin or remove it entirely to eliminate the attack surface until a fix is available.", "Restrict the Subscriber role and lower to prevent attackers with that level from submitting data to the plugin, and monitor all SQL queries for unexpected activity that could indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "All installations of the Community Events plugin version 1.5.1 or older from the vendor jackdewey are vulnerable. These versions are available on WordPress.org and may still be present on sites that have not applied updates since the fix was released.", "description_and_impact": "The Community Events plugin for WordPress contains an unescaped SQL injection vulnerability in the event_venue parameter that can be exploited through the SQL query compiled by the plugin. This flaw, classified as CWE\u201189, allows a user to inject arbitrary SQL statements. When successful, an attacker can read or modify data stored in the WordPress database, potentially exposing user credentials, content, and configuration settings, and compromising the confidentiality and integrity of the site content.", "risk_and_exploitability": "The flaw has a CVSS score of 9.8, indicating a critical risk. The EPSS score is less than 1\u202f%, suggesting that exploitation is currently low\u2011probability, yet the lack of a hard patch in the KEV catalog does not mitigate the potential for exploitation. Based on the description, the injection requires a user with Subscriber\u2011level access or higher; thus authentication is necessary, although some sources label it as unauthenticated. Exploitability requires the attacker to submit a crafted event_venue value in a request that the plugin processes, a step that is simple to automate once the vulnerability is known."}}}}, "created": "2025-10-09T12:51:28.450995+00:00", "updated": "2026-04-22T13:15:17.850354+00:00", "vendors": ["jackdewey", "jackdewey$PRODUCT$community_events", "wordpress", "wordpress$PRODUCT$wordpress"]}