Introduction
Sensitive event data, user credentials, and even payment information stored in WordPress databases can be quietly exposed through a single unauthenticated request. CVE-2025-12197 targets The Events Calendar plugin, a mainstay of the WordPress ecosystem with over 700,000 active installations, making this vulnerability especially relevant for organizations relying on WordPress for event management.
Technical Information
CVE-2025-12197 is a blind SQL injection vulnerability affecting The Events Calendar plugin for WordPress, specifically versions 6.15.1.1 through 6.15.9. The flaw is rooted in insufficient escaping and lack of prepared statements when handling the 's' parameter, which is used for search queries within the plugin. Instead of sanitizing or parameterizing user input, the plugin's custom query logic incorporates the raw value of 's' directly into SQL statements. This enables unauthenticated attackers to manipulate the query structure by injecting SQL code.
The attack is classified as blind SQL injection. Rather than receiving direct output from the database, attackers infer information by observing application behavior or response times. For example, an attacker might use a payload such as s=test' AND IF(SUBSTRING(user_login,1,1)='a',SLEEP(5),0) to determine the first character of a username by measuring response delays. This technique allows extraction of sensitive data even when error messages are suppressed.
The vulnerability persists despite a previous fix for CVE-2025-9807, which affected versions up to 6.15.1. The incomplete remediation left the core issue unresolved in subsequent versions, allowing similar exploitation through the same parameter.
Affected Systems and Versions
- Product: The Events Calendar WordPress plugin
- Affected versions: 6.15.1.1 through 6.15.9
- Any WordPress installation with this plugin in the specified version range is vulnerable, regardless of configuration
Vendor Security History
The Events Calendar (Modern Tribe) has experienced recurring security issues, including:
- CVE-2025-9807: SQL injection in versions up to 6.15.1
- CVE-2024-8275: Unauthenticated SQL injection in tribe_has_next_event()
- CVE-2024-6931: Unauthenticated stored XSS
- CVE-2024-5333: Authorization bypass
While the vendor releases patches in response to disclosures, the recurrence of similar vulnerabilities indicates challenges in secure development and code review practices.
