Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
WordPress Community Events plugin: SQL Injection via CSV Upload
CVE-2026-2429
Summary
The Community Events plugin for WordPress is vulnerable to a security flaw that allows attackers with high-level access to access sensitive database information. This issue affects all versions up to 1.5.8. Update to the latest version of the plugin to fix the problem.
Original title
The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This...
Original description
The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a crafted CSV file upload.
nvd CVSS3.1
4.9
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community...
- https://plugins.trac.wordpress.org/browser/community-events/trunk/community-even...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bd184c80-e785-4e9b-961...
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026