How is CVE-2026-9711 exploited?

Network reachability (required): The plugin's search endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS to deliver the malicious search parameter. Authentication (not-required): No account or session token is needed; the vulnerable search parameter is processed for anonymous requests. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator of the target site. Attack complexity (info): The exploit is reliable and condition-free from a technical standpoint, though two environmental prerequisites must hold: the "Enable additional search queries" setting must be active and at least one published event must exist in the database.

What is the impact of CVE-2026-9711?

Reads arbitrary rows from the WordPress database, including user account records, password hashes, session tokens, and plugin configuration data. Modifies or deletes persisted database rows, allowing an attacker to alter event content, create rogue administrator accounts, or corrupt site data. Extracts secrets stored in WordPress options, such as API keys, payment gateway credentials, or private configuration values held in the wp_options table. Crashes or degrades database-driven functionality by injecting resource-exhausting queries, disrupting site availability for legitimate users.

Back to search

CRITICALCVE-2026-9711Published 2026-06-30Modified 2026-06-30CNA Wordfence

CVE-2026-9711: EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter

Q: What is CVE-2026-9711?

Blind SQL injection in the EventON WordPress Virtual Event Calendar Plugin (versions up to and including 5.0.11) allows an unauthenticated remote attacker to append arbitrary SQL to search queries. The vulnerability is reachable over the network with no credentials required, and it is conditional on the plugin's "Enable additional search queries" setting being active and at least one published event existing in the database. Successful exploitation gives the attacker read and write access to the underlying WordPress database and can disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-9711 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted the "Enable additional search queries" setting is enabled and at least one published event exists.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Blind SQL injection in the EventON WordPress Virtual Event Calendar Plugin (versions up to and including 5.0.11) allows an unauthenticated remote attacker to append arbitrary SQL to search queries. The vulnerability is reachable over the network with no credentials required, and it is conditional on the plugin's "Enable additional search queries" setting being active and at least one published event existing in the database. Successful exploitation gives the attacker read and write access to the underlying WordPress database and can disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Wordfence advisory channel, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the EventON plugin. Any image layer containing an affected version of the plugin is flagged in the relevant registry and CI pipeline scan.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 (Critical) and weights it further against each customer organization's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured for the affected workload's team within that customer environment.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin's search endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS to deliver the malicious search parameter.
AuthenticationNot required
No account or session token is needed; the vulnerable search parameter is processed for anonymous requests.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator of the target site.
Attack complexityDetail
The exploit is reliable and condition-free from a technical standpoint, though two environmental prerequisites must hold: the "Enable additional search queries" setting must be active and at least one published event must exist in the database.

Blast Radius

Reads arbitrary rows from the WordPress database, including user account records, password hashes, session tokens, and plugin configuration data.
Modifies or deletes persisted database rows, allowing an attacker to alter event content, create rogue administrator accounts, or corrupt site data.
Extracts secrets stored in WordPress options, such as API keys, payment gateway credentials, or private configuration values held in the wp_options table.
Crashes or degrades database-driven functionality by injecting resource-exhausting queries, disrupting site availability for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle against all images that include the EventON plugin at or below version 5.0.11. Because no upstream patch exists at the time of publication, HarborGuard cannot yet offer an automatic rebuild, but the advisory is re-evaluated continuously so a patched rebuild will become available without delay once Wordfence or the plugin author ships a fix. In the interim, customers can apply compensating controls through network policy: restrict public access to WordPress search endpoints via ingress rules or a web application firewall rule targeting the affected parameter, disable the "Enable additional search queries" plugin setting if operationally feasible, and use egress filtering to limit outbound database connections from the container. For customers with auto-remediation enabled, the full rebuild, regression-test, and PR workflow will trigger automatically as soon as a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

EventON / EventON (Pro) - WordPress Virtual Event Calendar Plugin
≤ 5.0.11

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified