How ZeroPath Works
Back to Blog

The Events Calendar WordPress Plugin CVE-2025-9807: Brief Summary of Time-Based SQL Injection Vulnerability

A brief summary of CVE-2025-9807, a time-based SQL injection vulnerability in The Events Calendar WordPress plugin affecting all versions up to and including 6.15.1. This post covers technical details, affected versions, and vendor security history based on available public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-11

The Events Calendar WordPress Plugin CVE-2025-9807: Brief Summary of Time-Based SQL Injection Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Event management features are a core part of many WordPress sites, and The Events Calendar plugin is the go-to solution for over 700,000 active installations. A newly disclosed vulnerability, CVE-2025-9807, exposes these sites to time-based SQL injection attacks that can be triggered without authentication, potentially leading to database compromise and data leakage.

The Events Calendar is developed by theeventscalendar.com and is one of the most widely used plugins in the WordPress ecosystem. Its reach means that security issues here have broad implications for organizations of all sizes.

Technical Information

CVE-2025-9807 is a time-based SQL injection vulnerability affecting The Events Calendar plugin for WordPress. The flaw is present in all versions up to and including 6.15.1. The root cause is insufficient escaping and lack of prepared statements when handling the 's' parameter, which is typically used for search functionality within the plugin.

The vulnerable code is located in:

  • src/Events/Custom_Tables/V1/WP_Query/Custom_Tables_Query.php (reference)

Attackers can supply specially crafted input to the 's' parameter. Because the input is not properly sanitized or parameterized, malicious SQL can be injected into queries executed by the plugin. In a time-based SQL injection, the attacker uses database timing functions (such as SLEEP() in MySQL) to infer data from the database by observing how long the server takes to respond to different queries. This allows for data exfiltration even when error messages are suppressed or output is not directly visible.

The plugin's custom query implementation bypasses some of WordPress's built-in protections, making it more susceptible to this class of vulnerability. No public patch or detection method is available at this time.

Affected Systems and Versions

  • Product: The Events Calendar WordPress plugin
  • Affected versions: All versions up to and including 6.15.1
  • Vulnerable configuration: Any WordPress site with the plugin enabled and reachable by unauthenticated users

Vendor Security History

The Events Calendar plugin has a history of critical security issues, including:

The recurrence of similar vulnerabilities suggests ongoing challenges in secure development and code review practices.

References

Detect & fix
what others miss

Get startedBook a demo